Device and related method for dynamic traffic mirroring

ABSTRACT

A function is provided in a network system for the dynamic mirroring of network traffic for a variety of purposes including the identification of characteristics of the traffic. Multiple criteria are established for when, what and where to mirror the traffic. The criteria include what frames of traffic to mirror, what portions of the selected frames to mirror, one or more portals through which to mirror the selected frames, a destination for the mirroring and the establishment of a mirror in a device to carry out the mirroring. The criteria may also include when to stop the mirroring. The mirroring instructions can be changed based on the detection of a triggering event, such as authentication, device type or status, ownership of an attached function attached to the device, flow status, but not limited to that. The function may be established in one or more devices of the network.

CROSS REFERENCE TO RELATED APPLICATIONS

The present application is a continuation application, and claims thepriority benefit, of U.S. nonprovisional patent application Ser. No.13/835,815 entitled “A DEVICE AND RELATED METHOD FOR DYNAMIC TRAFFICMIRRORING” owned by a common assignee and with the same named inventors.The entire content of the priority application is incorporated herein byreference. This application is also related to the followingapplications owned by a common assignee and all of which were filed onthe same date as the priority application. All are incorporated hereinby reference. The related applications are identified by title andcorresponding serial number as follows: A DEVICE AND RELATED METHOD FORDYNAMIC TRAFFIC MIRRORING POLICY, Ser. No. 13/835,679, A DEVICE ANDRELATED METHOD FOR ESTABLISHING NETWORK POLICY BASED ON APPLICATIONS,Ser. No. 13/836,048, A DEVICE AND RELATED METHOD FOR APPLICATIONIDENTIFICATION, Ser. No. 13/836,195, A SYSTEM AND RELATED METHOD FORNETWORK MONITORING AND CONTROL BASED ON APPLICATIONS, Ser. No.13/836,371, and A DEVICE AND RELATED METHOD FOR SCORING APPLICATIONSRUNNING ON A NETWORK, Ser. No. 13/836,545.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to computer-based networks and theircomponents. More particularly, the present invention relates to use,operation and control of the network.

2. Description of the Prior Art

Interconnected computing systems having some sort of commonality formthe basis of a network. A network permits communication or signalexchange through packet forwarding among computing systems of a commongroup in some selectable way. The interconnection of those computingsystems, as well as the devices that regulate and facilitate theexchange among the systems, represent a network. Further, networks maybe interconnected together to establish internetworks. For purposes ofthe description of the present invention, the devices and functions thatestablish the interconnection represent the network infrastructure. Theusers, computing devices and the like that use that networkinfrastructure to communicate are referred to herein as attachedfunctions and will be further defined. The combination of the attachedfunctions and the network infrastructure will be referred to as anetwork system.

The process by which the various computing systems of a network orinternetwork communicate is generally regulated by agreed-upon signalexchange standards and protocols embodied in network interface cards orcircuitry and software, firmware and microcoded algorithms. Suchstandards and protocols were borne out of the need and desire to provideinteroperability among the array of computing systems available from aplurality of suppliers. Two organizations that have been responsible forsignal exchange standardization are the Institute of Electrical andElectronic Engineers (IEEE) and the Internet Engineering Task Force(IETF). In particular, the IEEE standards for internetwork operabilityhave been established, or are in the process of being established, underthe purview of the IEEE 802 committee on Local Area Networks (LANs) andMetropolitan Area Networks (MANs). The IEEE standards include many welldefined methods of wired, fiber optic and Radio Frequency (RF orwireless) methods of network communications and are well known to thoseskilled in the art.

Access to applications, files, databases, programs, and othercapabilities associated with the entirety of a discrete network isrestricted largely based on the identity of the user and/or the networkattached functions. For the purpose of the description of the presentinvention, a “user” is a human being who interfaces via a computingdevice with the services associated with a network. For further purposesof clarity, a “network attached function” or an “attached function” maybe a user connected to the network through a computing device and anetwork interface device, an attached device connected to the network, afunction using the services of or providing services to the network, oran application associated with an attached device. Upon authenticationor other form of confirmation of the offered attached function identity,the attached function may access network services at the level permittedfor that identification. For purposes of the present description,“network services” include, but are not limited to, access, Quality ofService (QoS), bandwidth, priority, computer programs, computerapplications, databases, files, and network and server control systemsthat attached functions may use or manipulate for the purpose ofconducting the business of the enterprise employing the network as anenterprise asset.

A network administrator grants particular permissions to particularattached functions by establishing network use policies which areenforced at various points in the network. A network policy is an action(or nonaction) to be undertaken based on the existence or occurrence ofa defined condition or event. An “event” for purposes of describing thepresent invention, is a detectable or discernible occurrence that may beconsidered to have an impact on network operations or performance.Events may be defined by the network administrator. Some events warrantthe undertaking of an action to respond, address or otherwise accountfor those events. Events that warrant the undertaking of some action maybe referred to herein as “triggers.” Examples of events that may betrigger events include, but are not limited to, time outs, link changesup or down, link speed changes, user changes, device changes, deviceadditions, network service changes, access device changes, locationchanges, Intrusion Detection System (IDS) or Firewall events,application access requests, priority change requests, protocol changes,the addition of a wireless access user, policy changes made, bandwidthchanges, routing link changes, changes of monitored conditions, localand remote policy changes and network system changes. More generally forpurposes of the description of the present invention, a “trigger” is anydetected or observed event, activity, occurrence, information orcharacteristic identified in a network system by the networkadministrator as being of interest for the purpose of making amodification to an assigned set of policies. The types of triggers thatdefine usage restrictions may be of any type of interest to the networkadministrator. Network policies are generally directed toadministration, management, and/or control of access to or usage ofnetwork services. A network policy may also be a policy abstraction thatis the translation of one or more network policies to a different levelof abstraction. For example, multiple network use policies may bebundled into a higher-level abstract network policy for ease of handlingand naming; a network policy set is simply a policy composed of one ormore policies.

The network policies are typically defined in and regulated through anetwork policy server device of the network infrastructure controlled bythe administrator. The established policies are transmitted to networkinterface devices of the network infrastructure, referred to herein aspacket forwarding devices, at a point of connection to an attachedfunction. That connection point is referred to herein as a port of thepacket forwarding device. As part of the authentication process, aparticular set of policies are established by the administrator for thatattached function. That is, the port at which that attached function isattached to the packet forwarding device is configured to effect thosepolicies, often by installing other policies or installing or enabling aset of rules for the policy. For example, QoS, bandwidth, and prioritylevels may be set at certain values for one identified attached functionand at different levels for another attached function.

A network session is the establishment of an association between anattached function and one or more network services through the networkinfrastructure. The session includes a series of electronic signalexchanges referred to as packets and one or more packets to the samedestination is typically referred to as a flow. It is to be understoodthat a network system may be embodied in the combination orinterrelation between one or more attached functions and one or morenetwork infrastructure devices. At the outset of a network session,often in relation to the authentication of the attached function seekingto initiate the session, an association is created between the sessionand one or more network services, constrained by one or more networkpolicies established by the administrator through a network controlmanager device such as the network policy server and carried out orenforced by one or more of the packet forwarding devices of the networkinfrastructure.

Access to network services may be limited by conditions other thanattached function user authentication. For example, an attached functionseeking usage of a discrete network system through virtual privatenetworking may be isolated from certain network services simply becauseprivate network entry is made through a public portal such as theinternet. It is also understood that in certain settings offeringwireless connectivity, network usage may be limited upon detection ofattached function attempts to seek unauthorized access to specifiedrestricted network services. However, these isolated efforts at networkuser control based on something other than user identificationauthentication are insufficient for complete network control andsecurity. What is needed is a comprehensive and integrated system forcontrolling network usage for all users and devices at all times and toallow users to access the network services from alternate or unknowndevices or device types. Additionally, authorized users may at times usethe network in unauthorized ways, so what is needed is a way toidentify, limit and enforce uses of all accesses independently to allowproper uses to continue and limit unauthorized uses or simply uses thatgo against administrator set network policies. The limitations to usealso need to be structured in ways the network administrators andauthoritative personnel can structure, organize, communicate, administerand enforce the access and use of the network. Network policy or apolicy driven network is one organizational approach to abstract thecontrol of the network to users, roles and network services. Policybased networking has, however, not been able to provide limits to usebased on the applications being used in the network since the method,placement, compute power and granularity of use has not been built intothe network fabric before now. The identification of who, where and whatapplications are running in the network system can then lead to controland allocation of network resources to support the needs as allowed andadministered.

Events and activities do occur that may be harmful to the networksystem. For purposes of this description, harm to the network systemincludes, for example, denying access to the network, denying access tothe service, once access to the network is allowed, intentionally tyingup network computing resources, intentionally forcing bandwidthavailability reduction, and restricting, denying or modifyingnetwork-related information. Intrusion Detection Systems are used tomonitor the traffic associated with network sessions in an effort todetect harmful activity. However, IDS functions normally only monitortraffic and analyze the traffic flow for harm, they do not analyze otherinformation nor do they generate or enforce policies. They are designedto observe the packets, the state of the packets, and patterns of usageof the packets entering or within the network infrastructure for harmfulbehavior. There is some limited capability to respond automatically to adetected intrusion including through intrusion prevention systems.However, these detection systems are configured to search for specificpatterns of signals that represent harmful activity. The benefit of theIDS is dependent on the effectiveness of the library of signatures usedto detect harmful transmissions.

IDSs frequently implement a signature language that includesfunctionality allowing a security analyst to describe harmful activityon the network. Such signature languages are fairly complex in order todeal with application layer encodings, handle evasion techniquesleveraged by attackers, reduce false positives and generally provide areliable way to describe the characteristics of current network harmefforts. Applications that may be harmful to the network or at leastthat can slow down network processes that are not of sufficientimportance to the enterprise can be difficult to reliably characterizeor “fingerprint” due to efforts to evade such characterizations.Encrypted Bittorrent and Skype are examples of such applications thatare difficult to fingerprint. It would be desirable to have a networkfunction that can fingerprint applications in an effective manner. Tothe extent any IDS has some form of application detection functionality,it is limited to evaluating for malicious activity. The networkadministrator, in order to be more effective in protecting networkservices and maximizing network efficiency, would prefer to havecharacterization of as many applications used on the network aspossible, regardless of whether any of the applications are malicious.

From the security and usage efficiency perspectives, the network systemsindustry has had some difficulty keeping pace with the explosion in thenumber and types of applications used on networks. This revolution isbeing powered by new models for application availability embodied byBring Your Own Device (BYOD) and Cloud Computing environments. Thenetworking model that has been in existence along with theinfrastructure that maintains availability and applies policy has notkept pace with the rapid increase in applications. It is desirable tohave a network infrastructure architecture that is configured to keeppace with the expansion of application usage on the network.

For purposes of describing the present invention, an “application”,which may also be referred to herein as a “computer application” to becharacterized (including, for example, by fingerprinting and such othermechanisms as described herein) is any computer code that communicatesover the network interface or uses communication-enabling devices of thenetwork as part of it operation. An application is a computer programdesigned to perform an action. The application can run on any type ofcomputing device including, but not limited to, a server of a network, adesktop computer, a laptop, a tablet, PDA or a smart phone. Anapplication, for purposes of the present invention, includes systemcomputer programs that run computing devices, utility computer programsthat perform maintenance and upkeep of computing devices and networks ofcomputing devices, programming tools used to create computer programs,as well as high-level functional computer programs that perform tasksand carry out activities initiated by end users on computing devices. Asnoted, operating systems are also considered to be applications withrespect to the present invention as they may be characterized based oninferences made using operating system specifics from theircommunications. In addition, network infrastructure device themselvesuse the network for routing protocols and other traffic such as networkmanagement which we will also consider to be applications or uses of thenetwork as demonstrated by adding traffic to the network system.Further, “application fingerprinting” or “application identification” isthe act of collecting network traffic and parsing it according to apacket or flow signature set or by statistics, heuristics, history,installed applications base, or other mechanisms, including custommechanisms. It may include the use of classification techniques used inlayer 2 and layer 3 switches and routers. This characterizationapplication identification represents all applications and usescommunicated on the network system directly or indirectly. The term“applications running on the network” or variants of that term are usedherein to describe those applications that are used, accessed orotherwise engaged through one or more devices of the networkinfrastructure.

The Open System Interconnection (OSI) model defines a networkingframework to implement protocols in seven layers. Control is passed fromone layer to the next, starting at the application layer in one station,and proceeding to the bottom layer, over the channel to the next stationand back up the hierarchy. The seven layers in reverse order are:Application (layer 7), Presentation (layer 6), Session (layer 5),Transport (layer 4), Network (layer 3), Data Link (layer 2) and Physical(layer 1). The present invention is directed to management of signalexchanges through these OSI layers and they may be referred to hereinfrom time to time.

The Application layer supports computer program applications andend-user processes. Communication partners are identified, quality ofservice is identified, user authentication and privacy are considered,and any constraints on data syntax are identified. Everything at thislayer is application-specific. This layer provides application servicesfor file transfers, e-mail and other network software services. Telnetand FTP are applications that exist entirely in the application level.Tiered application architectures are part of this layer. ThePresentation layer provides independence from differences in datarepresentation (e.g., encryption) by translating from application tonetwork format, and vice versa. The presentation layer works totransform data into the form that the application layer can accept. Thislayer formats and encrypts data to be sent across a network, providingfreedom from compatibility problems. The Session layer establishes,manages and terminates connections between applications. The sessionlayer sets up, coordinates, and terminates conversations, exchanges, anddialogues or “flows” between the applications at each end of an exchangebetween attached functions, between attached functions and networkinfrastructure devices and between network infrastructure devices. Itdeals with session and connection coordination. The Transport layerprovides transparent transfer of data between end systems and isresponsible for end-to-end error recovery and flow control. The Networklayer provides switching and routing functionalities, creating logicalpaths, sometimes referred to as virtual circuits, for transmitting datafrom node to node. Routing and forwarding are functions of this layer,as well as addressing, internetworking, error handling, congestioncontrol and packet sequencing. The Data Link layer encodes and decodesdata packets into bits. It furnishes transmission protocol knowledge andmanagement and handles errors in the physical layer, flow control andframe synchronization. The Data Link layer is divided into two sublayers: The Media Access Control (MAC) layer and the Logical LinkControl (LLC) layer. The MAC sub layer controls how a computer on thenetwork gains access to the data link and controls permission totransmit on it. The LLC layer controls frame synchronization, flowcontrol and error checking. The Physical layer conveys the bitstream—electrical impulse, light or radio signal—through the networklinks (wires, fiber, RF) at the electrical and mechanical level. Itprovides the hardware means of sending and receiving data on a carrier,including semiconductor components, wires, cables, cards and otherphysical structures.

SUMMARY OF THE INVENTION

The present invention includes an application identification function, adynamic traffic mirroring function, a policy based dynamic mirroringfunction and a network system controller, all directed to improvingnetwork manageability, security and efficiency of operation. Theapplication identification function carried out through an applicationidentification engine, enables the determination or identification ofthe applications running in the network system through devices of thenetwork infrastructure by snooping the flows of network traffic andmaking a characterization of the likely application associated withflows with a minimal amount of data in observed frames of receivedpackets to do so. Signature languages have been leveraged in applicationfingerprinting products, but these languages were not in the pastdeveloped specifically for the purpose of application fingerprinting.The present invention takes advantage of intrusion detection languagesfor the purpose of fingerprinting applications with significantextensions to improve the application identification capabilities.

The application identification function of the present inventionincludes several mechanisms, but is not limited to those describedherein, in order to identify computer applications running on thenetwork through examination of characteristics of information associatedwith frames of packets received on one or more devices of the network. Afirst mechanism is the signature-based parsing of network traffic with asignature language that is ideally adapted to describe what applicationcommunications look like based on the packets transmitted by theapplication. A second mechanism is a heuristics-based processingapproach to infer the existence of certain applications that cannotreliably be fingerprinted with signature-based means. Otheridentification options include, but are not limited to, port values,protocol values, statistics analysis, customized programs dependent oncharacteristics unique to a program and OSI layer 2 information. Furtheractive and passive actions may be employed as mechanisms for applicationidentification including, for example, the probing of attached networkand external devices for installed applications, e.g., by sendingrequests for information associated with applications running on thenetwork. The very presence of certain devices on the network may also beused to ascertain the presence of certain applications as those devicescommunicate on the network.

In making an application identification, just as network intrusiondetection systems develop strategies for the reduction of falsepositives when trying to detect malicious network usage, properapplication fingerprinting must also leverage similar strategies.Reliable application fingerprinting is best accomplished through thiscombination of both signature and heuristic processing, but there is aninherent conflict between the two techniques when both are appliedsimultaneously. That is, if a signature says that certain networktraffic is application X but a heuristic method says that the sametraffic is application Y, which should be most trusted? Through theconstruction of a scoring system of the present invention with allavailable mechanisms including those described herein receiving areliability score, this problem is resolved and leverage all techniquesto the best advantage. The scoring system may be derived from a networktraining period for any specific application fingerprinting deployment,and through the information gained in the training period, a set ofscores is assigned to all signatures and heuristic methods. After thetraining period is over, then the most reliable application fingerprintsare those that attain the highest matching score. That determination isestablished in the application identification function and transmittedto one or more other devices of the network, including a network controlmanager.

The present invention further includes a mechanism by which applicationfingerprinting may be enhanced by the experiences of others. That is,the training arrangement described above is effective when sufficientpacket transmission occurs in the network to enable the applicationcharacterization. However, the network may not see all applications orenough data for all applications to effect sufficient training. Thepresent invention includes the addition of at least pluggable binarymodules so that any user can develop custom fingerprinting techniquesaccording to a packet inspection Application Programming Interface(API). This allows the users of the present invention to augmentsupplied application fingerprinting functionality with new or customtechniques for fingerprinting applications in ways not included in thesupplied version. This enhancement of available fingerprints isanalogous to an open signature language that became an essentialcomponent of major intrusion detection systems in the security world andis desirable because some applications are highly specialized andrequire dedicated algorithms for reliable detection. By providing anopen API for third parties to create characterization programs against,the present invention provides users with a unique infrastructure toacquire packet data that can be processed by the applicationidentification function. An example usage of this option is theimplementation of the Luhn Algorithm for the detection of credit carddata as it traverses a network.

An aspect of the present invention is the forwarding of one or moreframes contained in packets or one or more portions of frames in packetsof a flow or at the initiation of a session to the applicationidentification engine of one or more devices of the networkinfrastructure for the purpose of determining the application associatedwith the flow/session being established. That is, the mirroring of theone or more packets or portions of packets to a destination other thanthe original intended destination. The present invention includes adynamic network traffic mirror function that may be used to mirrortraffic through a dedicated port or a selectable portal of a packetforwarding device. The mirroring may be done selectively rather thansimply on a regular basis, which would be inefficient. The ability todynamically launch/create a traffic (flow) mirror to an IDS and/or tothe application identification engine improves the capability to monitorthe flows of the network anywhere while only needing a very limited setof monitors, IDS sensors or APP ID devices. Frames of flows of trafficfrom any packet forwarding device can be mirrored without disturbing thenormal routing of the messages and maximizing the usage of networkbandwidth and the usage of other devices of the network, including IDSs.The dynamic network traffic mirror function can be included ordynamically added to a packet forwarding device of the network system.

Packet forwarding devices of the network infrastructure transmit andreceive packets through their ports. A “port” includes a physicalcomponent that is a structure to establish a connection between networksystem devices, including packet forwarding devices, servers andattached functions. However, as is known by those skilled in the art andas used herein, a port is also an application-specific orprocess-specific software or software and hardware construct serving asa communications endpoint in a network system, the endpoint may be adevice of the network infrastructure or an attached function. A port isassociated with an IP address of the host, as well as the type ofprotocol used for communication. A port is identified for each addressand protocol by a 16-bit number, commonly known as the port number. Theport number, added to a network device's address (such as the device'sIP address), completes the destination address for a communicationsession. It is the combination of an IP address and a port numbertogether that must be globally unique for all communication sessions ina network system. Different IP addresses or protocols may use the sameport number for communication.

As seen above a “port” may have several meanings and this may lead toconfusion in its use. Further, there is another concept regarding themirroring of data from a mirror source to a mirror destination. In asimple configuration, the data packets are simply copied to anotherphysical port on the packet forwarding device. In the classic sense a“port mirror” is the copying of all the data received (and/ortransmitted) being copied to another port on the same switching device.The traffic mirrors defined herein are more comprehensive than merelycopying the traffic to another physical port. The mirrors may use aGeneric Routing Encapsulation (GRE) or a Virtual Private Network (VPN)as a transport level tunnel to another device anywhere on the enterprisenetwork or, in fact, anywhere across the Internet. A MAC level or VLANencapsulation may also be used as a transport mechanism, such as theVLAN connection path encapsulation described in U.S. Pat. No. 6,449,279incorporated herein by reference, to another device such as the IDS orAPP ID engine. To help make clear the operation of the mirrors usedherein, the term “portal” is used to identify the connection the mirrorsource uses. The portal may be as simple as another port on the samedevice or the traffic may go back out the same physical port on thedevice encapsulated or tagged in some way. Tunnels, virtual ports,internal interfaces, VPNs, other protocols, and other transportmechanisms including dedicated lines of any physical layer type may allbe set up, used and defined as part of the mirror portal. The termportal therefore refers to that logical link to the mirrored traffic'sdestination. The portal acts as a connection including as a tunneledconnection, and is responsible for delivering the traffic to the otherend (the destination end) subject to the limitations of the portalitself. Some portals guarantee transport delivery, while others are besteffort delivery, still other portals may have encapsulation limitations.Mirror set-up along with destination selection, location, service andperformance or dynamic mirroring policies may determine the portal orportal type to use for a specific mirror.

The dynamic traffic mirroring function of the present invention is notlimited to only facilitating the identification of computer applicationsrunning on the network. It provides the capability to select optionsbased on a plurality of criteria to mirror any portion or all of theframes of packets received on the network. The dynamic traffic mirroringfunction can do at least one or more of: 1) mirror all or any portion ofthe flow, such as the first N packets, the first M fields, the first LBytes, selected fields and one-way or bidirectional flows; 2) defineflows by source address-destination address, Tuple, 5-tuple,application, etc.; and 3) transport the packets by portals togeneralized or specific destinations. It can be controlled by an IDSand/or by a dynamic mirror controller, the network control manager orother network infrastructure devices. The function may be located in anetwork device selected to carry out selectable mirroring functionsbased on one or more of mirroring device load, bandwidth, security (orencryption could be added), ability to maintain flow pathways to adesignated location, require encryption for transmission beyond thedesignated location, locality (of source, receiver or another device ofthe network), direction or flows (e.g., mirror the source of a flow atone point and the traffic returned from the destination at another pointin the network). This set-up flexibility allows for morebandwidth-efficient mirroring, it can be used to take mirror traffic outof the high “cost” paths of the network, it can be used to controlmirror traffic to be set at low priority when in “search” mode and thenset to a higher priority when in “isolate a problem” mode. Moreover,with the dynamic mirroring function, traffic can be controlled by morethan one IDS, application identification engine, monitor, logger, etc.to more than one destination and/or to multiple monitoring devices thatcan be specialized or dedicated to certain tasks without physicalnetwork topology location dependence. In effect, this function providesautomated dynamic intelligent filtered flow mirroring to multipleportals.

Mirroring has typically been a manually set up “port mirror” to anotherport on the switch. The dynamic traffic mirror of the present inventionextends the ability to “flow mirror” the first N-packets or othervarying sets of frames in a new flow and other selections of existingflows or data within the flow. This function brings data flows fromanywhere in the network to the IDS or any other selectable networkinfrastructure device or function. IDS devices no longer need to belocated on the segment they monitor in the network, although they couldbe, with other flows not normally passing that point being “mirrored” tothe device. This makes the IDSs, as well as other types of monitoringdevices, of the network more efficient. Mirrors can be controlled toonly “mirror” relevant traffic and the mirroring controller candefine/change the mirrors based on detected events, time-of-day, IDSload, etc. It is noted that many IDS signature matches happen earlywithin application layer communications, so the dynamic mirror functionwith respect to application identification at least is an IDS enablerwhile at the same time allowing for greater efficiency of flow setup andactivity. More broadly, the dynamic mirror function can be used tofilter traffic flows and that filtering can be changed automaticallyon-the-fly. Less investment in monitoring equipment, such as ApplicationIdentification or IDS equipment required by customers, is accomplishedcheaper and better than has heretofore been possible with more flowsmonitored and less monitor processing bandwidth being used to handlepackets for which examination of the content of frames of those packetsdoes not don't contribute to enhanced intrusion detection. The dynamicmirroring function enables transmission to multiple devices of thenetwork by establishing multiple portals to do so. As a result, it isnot limited to a specific transmission port and mirroring to more than asingle device (dynamically) can occur at one time. Existing port mirrorstend to mirror the traffic to only one other device on a single port.

The set-up, teardown and filtering employed in the mirroring activitycan be adjusted based on network policies, the detection of particulartriggers by the device performing the mirroring or another networkinfrastructure device. This aspect of the present invention may be setup and controlled by the dynamic mirroring policy. Examples for criteriawhich may generate a mirroring activity include, but are not limited to,frames of packets, the content of particular fields in a frame, flowcounts, the end of a flow, a regularly timed mirroring initiation or anyother conditions of interest to the network administrator can be used asconditions for establishing mirroring activities on a device of thenetwork. In addition, events or criteria may be established for stoppingthe mirroring function. For example, a mirroring activity may be stoppedbased on the data value in a packet field, a network, regional or devicespecific event, a simple count of packets or other flow metric, a timeout, the end of flow or based on a change in a prioritization condition(i.e., a condition has occurred wherein mirroring must be performed on adifferent flow that has been designated as being of higher priority formirroring, particularly when the device carrying out the mirroring haslimited capacity in that regard.

As noted, the dynamic traffic mirroring function is not limited to IDSoperations or even application-specific network analysis and control.For example, it may be used more generally in network access control.Dynamic traffic mirroring points are established through dynamicmirroring policies of a dynamic traffic policy function. The mirroringpolicies that may be dynamically established are dependent on a widerange of triggering conditions. Examples of such mirroring policiesinclude, but are not limited to: 1) mirror the first N packets of anynew application flow from a source to the nearest IDS; 2) mirror allflows from a newly authenticated user for a specified time to anavailable application engine; 3) determine the IDS to use based onload/location/priority; 4) randomly mirror flows (spot checks) asbandwidth and IDS loads allow; and 5) mirror all new flows to/from theinternet router/gateway/firewall for N packets. Current mirroringpolicies, to the extent they exist in a network system, are either adhoc or simply manually controlled by administrators. These may belimited to the locality of IDS devices and network topology. Flows oftraffic from any packet forwarding device may be mirrored based onpolicy rules based on: 1) network loads at various points; 2) time ofthe day; 3) link outages and other topology bandwidth constraints; 4)server location and status; 5) user numbers; and 6) wireless accesspoint use and number. Further, the dynamic mirroring function may beused based on policies based on the conditions noted herein regardingdynamic mirroring for application identification.

This general policy-based mirroring allows network administrators to setnetwork mirror policies for various network monitors including, forexample, application identification appliances, IDSs, network loggers,analyzers, etc. These policies may be set based on device, user,topology, time-of-day, network events (e.g., triggers) mirrored todevice availability, location and load. Given the breath of dynamicmirroring capabilities, the capabilities exceed administrator manualset-up capabilities. Rapid dynamic mirrors can better optimize monitorand IDS devices and possibly other network devices and remove theirphysical location as a primary factor in their physical placement in thenetwork topology. This provides the added structure of policy rules fordynamic network traffic mirroring so that policies may be based on userroles and or device services, for example. As noted, it provides thecapability to improve coverage and IDS utilizations and it improves theability to “monitor” the right flows (filtered) flows at the righttimes. The present invention thus provides an automatic way to deal withnetwork events. For purposes of the present invention, automatic actionsmean those actions that are carried out by a device of the networksystem based on a condition or event detected by a device of the networksystem that causes the initiation, through one or more devices of thenetwork system, of changes in one or more of one or more policies, oneor more rules, and one or more actions without requiring humanintervention to initiate the one or more changes when the condition orevent has been detected.

In the context of application-based dynamic network policy, the presentinvention includes the usage of such information to apply a policy to anapplication level flow, or set of flows or to modify local ornetwork-wide policies. The application identification function describedherein can be used to extract metadata such as HTTP request referrers,SSL common names, usernames in various protocols, Kerberos keyinformation and more as a mechanism to change network policy and userules on the fly. Thresholds, pattern matches, and other modifiers canbe leveraged to have the network enforce policy rules against flowsbased on these metadata specifics. The application signaturesfingerprinting mechanism for application identification can be enhancedto include the ability to log application information including, forexample, layer metadata, and further can be used for modification ofnetwork policy. The other mechanisms described herein for applicationidentification may also be used to characterize information associatedwith applications running on the network and that information may beused in establishing policies. Beyond changing policy based on amacro-level application fingerprint, the usage of metadata allowsnetwork policy to be applied based on much more fine grained applicationdescriptors. In one version of this functionality, the policyenforcement mechanism can parse and leverage application identificationinformation produced by the application fingerprinting function. Inanother version, metadata may be transmitted to a network policy enginefor the purpose of distributing policy enforcement to appropriate points(including close or at the point of entry) in the network. This enablesa finer granularity of enforcement and control of flows than has beenpreviously provided, if that is of interest.

Embodiments of policy enforcement options that may be established withgreater effectiveness include, but are not limited to: 1) disable aport; 2) disable MAC address; 3) disable a user; 4) quarantine a user;5) block a specific application flow; 6) block an IP address; 7) snipe aTCP connection; 8) disable communication for an application; 9) disablecommunications to an attached function; 10) disable a networkcommunication, in either or both of a forward path and a reverse path;11) bandwidth-limit an application by a particular user; 12)bandwidth-limit an application for all users of the network system; 13)log all application data; and 14) honeypot the application flow. Whilethe first four examples are widely in use, the others require theidentification of the application flow within the user/devices totaldata flow. This ability to characterize applications effectively may beused to establish new policies based on those applications and the newmetadata associated with those applications, which such new policies maynot be possible but for that information. One view of how thisfunctionality may be useful in a network security and efficiency controlenvironment is noted as follows. While all employees may be givenInternet access, limits may be placed on time-of-day access, bandwidth,or complete use of an application. Bandwidth or data limits can beplaced on uTube. Gambling application may be prohibited. This finergranularity of knowledge based on applications may be characterized inthis context as applying policy based on application layer metadata thatis transmitted on the wire. For example, the network administrator mayblock particular SSL connections based on a particular SSL certificatecommon name, or block Kerberos communications that rely on a particularkey. Policy enforcement may be targeted at the application levelallowing administrators to target policies best suited for theirbusiness needs.

The ability to identify applications running on any device of, orconnected to, the network infrastructure, as well as the ability todynamically mirror traffic enables the establishment of a novel networkarchitecture that may be configured to be applications-centric. Theapplication identification capability provided by the functionsdescribed herein allows the application to be identified, tied todevices and users, located in the network and controlled via organizednetwork policies. With proliferation of mobile devices, especiallysmartphones and tablets, and the countless applications (apps) availablefor them, there is a strong need for this added level of control.Components of the network architecture include: 1) the dynamic mirroringcapability described herein that is part of the network systemestablished or that can be established, in one or more packet forwardingdevices of the network, including one or more network entry devices; 2)the application identification function, which may be carried out in astandalone device or another device of the network infrastructure,including a device having packet forwarding as a primary function; and3) 4) network and policy management functions including a monitoringfunction, that can take in monitored information, including informationfrom the application identification function, network status and eventand administrative policy input, and can issue policy directives, eitherdirectly or through another network infrastructure device. This finalstep is also referred to as a Policy Decision Point (PDP) extended toembrace application level control. The enhanced ability of PolicyEnforcement Points (PEPs) of the network combined with typical networkdeployment paradigms (gateway, access edge, core/distribution, and datacenter) in order to maximize the ability to identify applicationsrunning through the network and the ability to apply network policycontrols to them based on that information and decision making enhancesnetwork operational efficiency while also maintaining or enhancingnetwork security. The architecture can also include aggregation andreporting functions that collect and analyze application identificationand other monitored information. That information may be used toenforce, add and establish network policies as well as mirroringpolicies.

The dynamic mirroring function enables a targeted approach to framemirroring in order to maximize application identification effectivenesswhile simultaneously minimizing data that must be mirrored to anidentification appliance or to any network infrastructure deviceconfigured to carry out the application identification function. Thisallows the whole solution to scale to extremely large and fast networks.The application identification function, which, as noted, may be astandalone device or embodied in another network infrastructure device,collects and analyzes the transferred frames of packet data flows thatare provided by dynamic mirroring and also integrate other information,such as Netflow information and the other application identificationmechanisms noted herein. The network policy function evaluates theinformation gathered and can apply network policy controls(enforcements) on a per-flow basis at, or close to flow ingress.

The details of one or more examples related to the invention are setforth in the accompanying drawings and the description below. Otherfeatures, objects, and advantages of the invention will be apparent fromthe description and drawings, and from any appended claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a simplified diagrammatic block representation of an examplenetwork system with the functions of the present invention.

FIG. 2 is a simplified block representation of a combination networkinfrastructure devices arranged for application identification.

FIG. 3 is a simplified block representation of an applicationidentification engine of the present invention.

FIGS. 4A-4C list scoring results for the identification of a set ofapplications generated by the scoring machine of the present invention.

FIG. 5 is a simplified block representation of the dynamic mirroringfunction of the present invention in a network device.

FIG. 6 is a representation of a packet modification encapsulating aframe or portion of a frame to be mirrored.

FIG. 7 is a simplified block representation of a first network topologyarrangement using dynamic mirroring and application identification.

FIG. 8 is a simplified block representation of a second network topologyarrangement using dynamic mirroring and application identification.

FIG. 9 is a simplified block representation of a third network topologyarrangement using dynamic mirroring and application identification.

FIG. 10 is a simplified block representation of a fourth networktopology arrangement using dynamic mirroring and applicationidentification.

FIG. 11 is a simplified flow diagram of primary steps associated with amethod for controlling dynamic traffic mirrors with mirroring policies.

FIG. 12 is a simplified flow diagram of primary steps associated with amethod for dynamically mirroring network traffic.

FIG. 13 is a simplified flow diagram of primary steps associated with amethod for managing operations of a network based on the ability toidentify computer applications running on the network.

FIG. 14 is a simplified flow diagram of primary steps associated with amethod for identifying computer applications running on a network.

FIG. 15 is a simplified flow diagram of primary steps associated with ascoring method for assessing the accuracy of the identification ofcomputer applications running on a network.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS OF THE INVENTION

The devices and systems of the present invention are individual andconnected hardware components including electrical elements, circuitryand functions embodied in those components. The hardware components aregenerally referred to as computing devices in that they combine physicalhardware structures with software that may include firmware and middleware for the purpose of executing instructions that produce the actionsdescribed herein. It is to be understood that the hardware devices thatare network infrastructure devices defined herein represent computingdevices suitable for executing the network functions described herein.Other types of computing devices may also be part of a network system ofthe present invention including such computing devices that performnetwork functions. Such other types of computing devices includelaptops, tablets and mobile devices including smartphones, for example.It is to be understood that a computing device described herein may beany type of device having a processor capable of carrying instructionsassociated with one or more computer applications. The illustrations ofthe network system devices presented in the drawings are simplifiedrepresentations and are in no way intended to be limiting as to theappearance of these devices. Further, while the devices may be shown inproximity to one another, it is to be understood that they may be localor remote with respect to one another and that there may be some devicesthat are located near one another while others and groups of others maybe remotely located.

Each of the devices described herein may include one or more discreteprocessor devices. One or more of the network infrastructure devicesdescribed herein are programmed to include one or more of the functionsdescribed. The devices may contain or be connected to one or moredatabases of other devices wherein the one or more databases includeinformation related to the invention. For example, the database mayinclude a library of application fingerprints, one or more policies tobe implemented on one or more of the devices and information aboutactions performed by the one or more devices. The one or more databasesmay be populated and updated with information by authorized users andattached functions.

The functions of the invention described herein with respect to theoperations of the devices may be described in the general context ofcomputer-executable instructions, such as program modules, beingexecuted by a computing device. Generally, program modules includeroutines, programs, objects, components, data structures, etc. thatperform particular tasks or implement particular abstract data types. Asnoted, the present invention can be practiced in distributed computingenvironments where tasks are performed by remote processing devices thatare linked through one or more data transmission media. In a distributedcomputing environment, program function modules and other data may belocated in both local and remote device storage media including memorystorage devices.

The processor, interactive drives, memory storage devices, databases andperipherals, such as signal exchange components, of a particular devicemay be interconnected through one or more electrical buses. The one ormore buses may be any of several types of bus structures including amemory bus or memory controller, a peripheral bus, and a local bus usingany of a variety of bus architectures. By way of example, and notlimitation, such architectures include Industry Standard Architecture(ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA)bus, Video Electronics Standards Association (VESA) local bus, andPeripheral Component Interconnect (PCI) bus.

Each of the devices of the present invention includes one or more of oneor more different computer readable media. Computer readable media canbe any available media that can be accessed by the processor andincludes both volatile and non-volatile media, removable andnon-removable media. By way of example, and not limitation, computerreadable media may be computer storage media and/or communication media.Computer storage media include volatile and non-volatile, removable andnon-removable media implemented in any method or technology for storageof information such as computer readable instructions, data structures,program modules or other data. Computer storage media include, but arenot limited to, RAM, ROM, EEPROM, flash memory or other memorytechnology, CD-ROM, digital versatile disks (DVD) or other optical diskstorage, magnetic cassettes, magnetic tape, magnetic disk storage orother magnetic storage devices, or any other medium which can be used tostore the desired information and which can be accessed by the computersystem.

Each of the devices further includes computer storage media in the formof volatile and/or non-volatile memory such as Read Only Memory (ROM)and Random Access Memory (RAM). RAM typically contains data and/orprogram modules that are accessible to and/or operated on by theprocessor. That is, RAM may include application programs, such as thefunctions of the present invention, and information in the form of data.The devices may also include other removable/non-removable,volatile/non-volatile computer storage and access media. For example, adevice may include a hard disk drive or solid state drive to read fromand/or write to non-removable, non-volatile magnetic media, a magneticdisk drive to read to and/or write from a removable, non-volatilemagnetic disk, and an optical disk drive to read to and/or write from aremovable, non-volatile optical disk, such as a CD-ROM or other opticalmedia. Other removable/non-removable, volatile/non-volatile computerstorage media that can be used in the devices to perform the functionalsteps associated with the system and method of the present inventioninclude, but are not limited to, magnetic tape cassettes, flash memorycards, digital versatile disks, digital video tape, solid state RAM,solid state ROM, and the like.

The drives and their associated computer storage media described aboveprovide storage of computer readable instructions, data structures,program modules and other data for the processor. A user may entercommands and information into the processor through input devices suchas keyboards and pointing devices, such as a mouse, a trackball, a touchpad or a touch screen. Other input devices may include a microphone,joystick, game pad, satellite dish, scanner, or the like. These andother input devices are connected to the processor through the systembus, or other bus structures, such as a parallel port or a universalserial bus (USB), but is not limited thereto. A monitor or other type ofdisplay device is also connected to the processor through the system busor other bus arrangement.

The processor is configured and arranged to perform the functions andsteps described herein embodied in computer instructions stored andaccessed in any one or more of the manners described. The functions andsteps, may be implemented, individually or in combination, as a computerprogram product tangibly as computer-readable signals on acomputer-readable medium, such as any one or more of thecomputer-readable media described. Such computer program product mayinclude computer-readable signals tangibly embodied on thecomputer-readable medium, where such signals define instructions, forexample, as part of one or more programs that, as a result of beingexecuted by the processor, instruct the processor to perform one or moreof the functions or acts described herein, and/or various examples,variations and combinations thereof. Such instructions may be written inany of a plurality of programming languages, for example, Java, VisualBasic, C, or C++, XML, HTML and the like, or any of a variety ofcombinations thereof. Furthermore all such programming may be integratedto eventual delivery of information and computed results via web pagesdelivered over the internet, intranets, 3G, 4 G or evolving networks tocomputing devices including those in the mobile environment, forexample, Smartphones or iPhone, iPad and the like or any variety ofcombinations thereof.

All the data aggregated and stored in the database or databases may bemanaged under an RDBMS for example Oracle, MySQL, Access, PostgreSQL andthe like or any of a variety of combinations thereof. The RDBMS mayinterface with any web based or program driven applications written inany compatible programming languages including PHP, HTML, XML, Java,AJAX and the like or any of a variety of combinations thereof. Thecomputer-readable medium on which such instructions are stored mayreside on one or more of the components described above and may bedistributed across one or more such components.

The present invention includes individual devices and combinations ofsuch devices and other devices as well as related methods to improve thesecurity and operation of a network system. Referring to FIG. 1, anetwork system 100 incorporating the functions of the present inventionoperates and provides network services to attached functions accordingto policies established on and transmitted to devices of a networkinfrastructure 101 through which the attached functions access and useservices of the network system 100. Network system 100 includes thenetwork infrastructure 101 and one or more attached functions connectedto or connectable to the network infrastructure 101. The networkinfrastructure 101 includes multiple switching devices, regional andcentral routing devices, authentication servers (such as authenticationserver 115), policy servers (such as policy server 103, which may alsoinclude a network management control function 125), network controlmanagement devices (separate from or including the network managementfunction 125, applications servers (such as application server 107),data centers containing information associated with network operations(such as data center 172), firewalls (such as firewall 118), IDSs,access points, MANs, WANs, VPNs, and internet connectivityinterconnected to one another and connectable to the attached functionsby way of connection points (e.g., 102 a-e). The network infrastructure101 includes such devices having packet forwarding functionality astheir primary functionality for the purpose of accessing and usingnetwork services. The network management control function 125 is shownas a single function in FIG. 1; however, it is to be understood that itrepresents network policy control, dynamic mirror control, dynamicmirror policy control and all other control functions described herein.It may be embodied in a single device of the network infrastructure 101or it may be embodied in multiple devices, wherein different devices maycontain one or more of the specific controllers described herein.

An attached function is external to infrastructure 101 and forms part ofnetwork system 100. Examples of attached functions 104 a-104 e arerepresented in FIG. 1, and may be any of the types of attached functionspreviously identified. Network infrastructure packet forwarding entrydevices 105 a-b, 140 and 150 of infrastructure 101 provide the means bywhich the external attached functions connect or attach to theinfrastructure 101. The firewall 118 may be deployed between anyattached function, particularly including an internet function, and anetwork entry device. Although shown as a single firewall in FIG. 1,other firewalls may be deployed. A network entry device can includeand/or be associated with a wireless access point (AP) 150. For wirelessconnection of an attached function to the infrastructure 101, thewireless access point 150 can be an individual device external orinternal to the network entry device 105 b. Wireless APs may or may notbe associated with a wireless controller (not shown) and these devicesmay alter the logical arrangement of access for attached functions butdo not substantially change the network topologies. In at least one way,appearing as the logical entry point for all wireless AP traffic, thewireless controllers may help aggregate AP traffic to a moreconsolidated point for monitoring and other activities, includingmirroring.

One or more devices of the network infrastructure 101, including one ormore standalone appliances, if desired, include an applicationidentification function 200 of the present invention. The applicationidentification function 200 is configured to characterize and identifythe application associated with a flow. Further, one or more devices ofthe network infrastructure 101 include a dynamic traffic mirroringfunction 300. The dynamic traffic mirroring function 300 is configuredto selectively mirror traffic of a flow to another device of the networkinfrastructure 101 including, but not limited to, a device including theapplication identification function 200. For the purpose of illustratingthe present invention, some of the devices include the applicationidentification function 200 and some include the dynamic trafficmirroring function 300. Some may include both and some may includeneither. One or more centralized network infrastructure devices mayinclude either or both of the functions 200 and 300. Further, there maybe a combination of network entry and centralized forwarding deviceshaving the application identification function 200 and/or the mirroringfunction 300 of the present invention. It is also to be noted that oneor more external attached functions may include one or both of functions200 and 300 provided that such external attached function is undereffective control of the network management control function 125.Moreover, as noted, the application identification function 200 may bein a standalone application identification appliance 180 of the networkinfrastructure 101, which appliance 180 may include the mirroringfunction 300. The appliance 180 shown in FIG. 1 includes a plurality ofdashed lines that represent the option to connect to one or more devicesof the network infrastructure 101 including, but not limited to, theentry devices 105 a-105 c and the central switching device 106.

One or more central forwarding devices, represented by central switchingdevice 106, enable the interconnection of a plurality of network entrydevices, such as devices 105 a-b, as well as access to network services,such as the central policy server 103, the application server 107 andthe authentication server 115. It is to be understood that a centralforwarding device, or an entry forwarding device, is not limited only toswitches as that term is traditionally understood. Instead, theforwarding device may be any device capable of forwarding signalsthrough the network infrastructure pursuant to forwarding protocols. Thecentral switching device 106 enables the interconnection of the networkinfrastructure 101 to attached external functions that include VPNs(represented by VPN gateway device 113) and WANs (represented byinternet cloud 130) as well as Internet Protocol (IP) telephones(represented by telephone 112), as well as to attached internalfunctions, such as printers, computing devices and the like representedas attached network functions 160 a-160 c. It is to be understood thatthe IP telephone 140 may also perform as a network entry device for thepurpose of connecting an attached function, such as a laptop computer,to the network infrastructure 101.

In packet forwarding devices such as the routers and switches of thenetwork, packets are received and forwarded as a normal part of theworking of these devices. Packets may be forwarded according to the OSIData Link layer (layer 2) specifications such as the IEEE 802.1D andsubsequent IEEE 802.1Q standards. Other switching or routing devices mayperform packet forwarding according to other known routing standards,such as IETF IPv4 and IPv6. These devices may support differentelectrical, RF and optical interfaces, and have different numbers ofeach interface, and also operate these interfaces at different speeds.These devices are suitable for configuration to carry out one or more ofthe functions described herein, including the dynamic traffic mirrorfunction and the application identification function. As a matter ofcourse in the classification of the packets for the packet forwardingcapability, the switching device may know the exact classification ofthe packet. For purposes of providing application identificationfunctionality, this capability can be built into the switching device toreport the classified traffic to a central or distributed form of theapplication engine forming part of a packet forwarding device or devicesand/or other devices of the network infrastructure 101 complete withscoring information regarding the application identificationclassification. This capability is available and available particularlywith respect to layer 2 protocols. Packets that are layer 2 classifiedby the packet forwarding device may or may not be forwarded to theapplication identification engine for processing. Different packetforwarding devices of the network infrastructure 101 may or may notsupport the layer 2 application identification classification andreporting function and thus may be treated differently by theapplication identification control function.

Signals are exchanged among the devices of the network infrastructureusing existing communication protocols. For purposes of gatheringinformation regarding applications using the network services and thestatus of network devices, the present invention includes the use of theindustry standards, NetFlow and Internet Protocol Flow InformationExport (IPFIX), for the purpose of transmitting and considering flowinformation. NetFlow was established by Cisco Systems for the purpose ofcollecting IP traffic information. NetFlow provides an establisheddesignation of seven elements of a packet that define thecharacteristics of a flow, including ingress interface, source IPaddress, destination IP address, IP protocol, source port for UniformDatagram Protocol (UDP) or Transmission Control Protocol (TCP),destination port for UDP or TCP and IP type of service. That informationis useful for determining flow characteristics, but it does not containall values that may be of interest and it does permit customization offlow characterization information to be collected. IPFIX is an IETFprotocol that solves some NetFlow limitations. It was created based onthe need for a common, universal standard of export for InternetProtocol flow information from switches, routers, probes, and otherdevices that are used by network management systems to monitor, manageand facilitate network usage and services. The IPFIX RFC defines how IPflow information is to be formatted and transferred from an exporter toa collector. The IPFIX standards requirements were outlined in theoriginal RFC 3917. The basic specifications for IPFIX were published in2008 as RFCs 5101, 5102 and 5103. In brief under IPFIX, data packetinformation is collected at a network device and sent to a collector ofthe network infrastructure. One device can send collected data to manycollectors and a collector can collect data from many devices of thenetwork.

IPFIX considers a flow to be any number of packets observed in aspecific timeslot and sharing a number of properties, e.g., “samesource, same destination, same protocol”, essentially a “flow”. UsingIPFIX, network devices such as switches can inform a central networkadministrator about the network as a whole and in individual locations.IPFIX is a push protocol, i.e., each device periodically sends IPFIXmessages to configured collectors, such as network management deviceswithout any request by the collectors. The actual makeup of data inIPFIX messages is to a great extent up to the device sending the data.IPFIX introduces the makeup of these messages to the receiver with thehelp of special Templates. The sender is also free to use user-defineddata types in its messages, so the protocol is freely extensible and canadapt to different scenarios. In one preferred embodiment, anapplication identification engine described herein embodying theapplication identification function 200 of the present invention usesthe encodings and extensions allowed through IPFIX as the protocol tocommunicate with the various other devices attempting to performspecific portions of the application identification process. IPFIXgenerally uses the Stream Control Transmission Protocol as its Transportlayer protocol, but also allows the use of the TCP and the UDP.

An application identification appliance 180 including the applicationidentification function 200 is represented in FIG. 2 in a simplified wayin relation to other devices of the network infrastructure 101 withwhich it communicates. The appliance 180 exchanges information andcommand signals with the network system control manager 125, which maybe associated with the central policy server 103 and which may beembodied in one or more devices of the network infrastructure 101. Anexample of the control manager 125 is the NetSight® management systemavailable from Enterasys Networks of Salem, N.H. The control manager 125may include or at least control a dynamic mirroring engine used tomirror traffic by a network packet forwarding device as described morefully herein. Such a mirroring engine may exist in another device of thenetwork infrastructure 101, including the device that does the mirroring

The appliance 180 includes a management engine 184 and an applicationidentification engine 186 that performs the application identificationfunction 200. The appliance 180 receives packets from other devices ofthe network infrastructure 101, such as network entry devices 105 a-c.Those packets are mirrored to the application identification engine 186on a regular basis or in a selectable way through dynamic trafficmirroring as described herein. The packets transmitted to theapplication identification engine 186 are assessed through a pluralityof mechanisms for characteristics representative of the applicationassociated with the packets transmitted. Further, the assessedcharacteristics are scored, including the option of weighting thedifferent mechanism equally or differently in the scoring, and acomposite is resolved as a specific application assessment. Thatassessment of the characterization of the packet or flow of packets istransmitted as information to the management engine 184 through IPFIX.The management engine 184 may optionally be configured to make a finaldetermination of the characterization of the application associated withthe packet or flow of packets and transmit the final determination tothe network system control manager 125. The appliance 180 may be furtherconfigured with additional statistical gathering, control inputs andcommunications connections to the control manager 125 through themanagement engine 184. The information gathered, examined and used inthe application identification as well as the output to the controlmanager 125 may be logged at the appliance 180 and/or elsewhere. Thelogged information is used to form a “history” of the applications andother information. The history may further be used as an input into theprocess of network application identification described herein. Morebroadly, the information may be stored as a source of determiningwhether a particular application has already been installed on a deviceof the network infrastructure 101.

The policy server 103 or another network management device of thenetwork infrastructure 101 may include an application identificationconfiguration engine 174 coupled to the management engine 184 of theappliance 180. The configuration engine 174 exchanges information andinstruction messages with the appliance 180 for the purposes of checkingthe status of the appliance 180, to modify the content of anapplications signatures library 185 of the appliance 180, to add customapplication identification components and to configure theidentification engine 186. Messages are exchanged in any way suitablefor device management including through, but not limited to MIBs andSNMP. That form of information and/or instruction exchange can be usedfor other actions described herein. Outputs of the identification engine186 associated with the characteristics of mirrored frames of packetsassociated with one or more flows are forwarded to the management engine184 by any suitable protocol for the network exchange of information.Frames mirrored from the network devices to the identification engine186 may also be mirrored directly to the management engine 184 fortransmission to the control manager 125 or network logging or to otherfunctions and devices. The mirrored frames may also be mirrored to oneor more other devices of the network infrastructure 101.

The application identification engine 186 is further represented in FIG.3. The application identification engine 186 includes a mirrored framesinterface 188, a network management interface 190, a results outputinterface 192, a set of different analysis mechanisms or functions 194a-194 h and a scoring analysis engine 198. The engine 186 receivesinformation and instructions from the configuration engine 174, conductsscoring analyses based on provided information and guidelines andoutputs scoring results through port 192 to the control manager 125 forfurther analyses, decision making, policy changes and the like. Examplesof the plurality of analysis mechanisms used in making a determinationabout the likely application associated with particular frames examinedinclude, but are not limited to: a) a comparison 194 a of one or moresignatures (pattern matching) associated with computer applications; b)port values 194 b; c) protocol values 194 c; d) statistics 194 d; e)heuristics 194 e; f) history 194 f; g) installed applications 194 g; andh) custom analysis 194 h that are administrator or user dependent. Theengine 186 receives instructions and information at the first entry port188 and mirrored packets at the second entry interface 190. The mirroredframes are further sent or shared with each of the analysis functions194 a-194 h for application identification. Effective applicationidentification typically requires the usage of multiple techniques forparsing and analyzing network communications. While shown as acompletely parallel and distinct set of operations, the operations maybe serialized; they may happen as specialized functions partially orcompletely in specialized hardware or other devices of the networkinfrastructure 101, and/or performed at separate times, and/or asseparate functions in separate devices. These detection and analysistechniques range from simple port comparisons all the way throughcomplex pattern matching algorithms, regular expressions, andstatistics-based determinations including packet and flow informationfrom other functions and devices. The following table describes someavailable application identification mechanisms used herein and examplesof each:

Detection Technique Example Fingerprintable Apps. Non-fingerprintableApps. TCP/UDP canonical UDP/53 == DNS DNS, HTTP, SSH, Applications onnon- port values SMTP, etc. standard ports, and apps that dynamicallyselect port values (P2P) IP Protocol value IP proto 47 == GRE GREtunnels, OSPF, Any application that IPIP (these aren't apps leveragesIPv4 or IPv6 really - just more interesting than IPv4 or IPv6) PatternMatching HTTP/20, User-Agent: HTTP, HTTPS, SSH, Encrypted Bittorrent,STMP, Facebook, Skype Yahoo, Twitter, etc. Regular ExpressionsHost\x2a\s(?:www)?youtube\x2ecom Accounts for complex EncryptedBittorrent, application layer Skype, anything that encodings - Facebook,requires extreme Yahoo, Twitter, etc. performance Statistics-based SPIDdatabase values for SSH Encrypted Bittorrent, ? Mechanisms bannersSkype, SSH, HTTPS, etc.The application identification engine 186 implements all of the abovetechniques including statistics-based fingerprinting so that “problem”protocols such as encrypted Bittorrent and Skype can be identified(fingerprinted).

It is useful to construct groups of application signatures for thepurposes of organization and clarity, especially for outputting resultsin a useful manner to network administrators and to serve as input topolicy driven network control. Many applications share a common purposeor usage pattern, and this helps to provide guidance for the generationof application groupings. For example, Facebook and Twitter are bothsocial networking applications even though the underlying technologiesand platforms powering both are quite different. Hence, it is useful toplace Facebook and Twitter into the “social networks” application groupalong with other similar applications such as Google's G+ service. Thetable below outlines a set of application groupings. Others may beemployed dependent on network management interests:

Application Group Unifying Characteristic Example Applications SocialNetworking Emphasis is on in-application user Facebook, Twitter, G+,LinkedIn communications and interactions VPNs and Security Encryptedcommunications SSH, OpenVPN, IPSEC, Scanners (such as Metasploit) GamesInteractive goal oriented entertainment Diablo III, Online PokerBusiness Applications Enterprise class productivity SAP, GERS, AgileDatabases Query/result model Oracle, MySQL, Postgres Peer-to-Peer Fileand data transfer Bittorrent, eDonkey, Kazaa Search Engines Web-basedstandard search model (to Google, Yahoo include indexing crawlers)Software Updates Local OS/application querying of Anti-virus updates,Microsoft updates, centralized software update service Linux patches WebApplications General bucket for web applications that Google Maps,Flickr, SSL certificate do not warrant inclusion within one of commonnames for arbitrary sites the other groups Internet Infrastructure CoreInternet protocols DNS, SMTP Miscellaneous/Custom Application does notwarrant inclusion Custom one-off networked application within one of theexisting groups

The following table represents a template of HTTP IPFIX for an“appflow-spec-v1” document. This template may be the basis forcharacterizing an application flow to be used in identifying it whereinmetadata are to be collected and generated via IPFIX.

Set ID = 2 Set Length = 152 Template ID = 258 Field Count = 27Observation point ID (observationPointId, 138) Unsigned32, 4 Exportprocess ID (exportingProcessId, 144) Unsigned32, 4 Flow ID(flowId, 148)Unsigned64, 8 Transaction ID(transactionId, 32897) Unsigned32, 4Enterprise ID Connection ID(connectionId, 32901) Unsigned32, 4Enterprise ID Ipversion(ipVersion, 60) Unsigned8, 1 IP protocolnumber(protocoIdentifier, 4) Unsigned8, 1 Padding(Padding, 210)Unsigned8, 2 Ipv4 SRC IP(sourceIPv4Address, 8) Ipv4address, 4 Ipv4 DSTIP(destinationIpv4Addres, 12) Ipv4address, 4 SRC Port(tcpSourcePort,182) Unsigned16, 2 DST Port(tcpDestinationPort, 183) Unsigned16, 2 PktCount(packetDeltaCount, 2) Unsigned64, 8 Byte Count(octetDeltaCount, 1)Unsigned64, 8 Flag(TCP Control Bits, 6) Unsigned8, 1 Flags(flowFlags,32900) Unsigned64, 8 Enterprise ID Time for first pkt indateTimeMicroseconds, microseconds(flowStartMicroseconds, 154) 8 Timefor last pkt in dateTimeMicroseconds, microseconds(flowEndMicroseconds,155) 8 ingressInterface(ingressInterface, 10) Unsigned32, 4egressInterface(egressInterface, 14) Unsigned32, 4 appID(appID, 32919)Unsigned32, 4 Enterprise ID HTTP Request URL(httpReqUrl, 32898)Enterprise ID HTTP Request Cookie(httpReqCookie, 32899) VariableLength,65535 Enterprise ID HTTP Request Referer(httpReqReferer, VariableLength,65535 32908) Enterprise ID HTTP Request Method(httpReqMethod,VariableLength, 65535 32909) Enterprise ID HTTP RequestHost(httpReqHost, VariableLength, 65535 32910) Enterprise ID HTTPRequest User-Agent(httpReqUserAgent, VariableLength, 65535 32911)Enterprise ID

A significant amount of information is included within raw flow recordsabout IP addresses, protocols, and transport layer port numbers. Giventhat there are over 10,000 assigned applications unique port values(which are 16-bits wide in the TCP and UDP headers), there is always thepossibility that that value can be derived by inferring the usage of anapplication on a network just by looking at mapping port values to theassociated IANA assigned application. That may be one of the analysisfunctions of the engine 184. For example, one could just take a singleflow record, take a look at the source or destination port, determinewhether the port is likely a server port or a randomly assigned sourceport, and then lookup the corresponding application in the IANA list.However, this by itself would mean that it would be possible to use Nmapto fool the fingerprint function into reporting that every scanned portis an application that is in use. Hence, it may be desirable to seewhether any data would actually be exchanged, and may be even to try torule out potential scanning activity. Having data exchanged is moreclear cut for TCP services, but UDP servers are under no obligation toreturn anything to inbound attached function traffic. Also, althoughIANA has defined port numbers for 10,000+ applications, not allapplications are of equal importance. As a result, it is an option to beselective in the fingerprinting process. Reasonable approachesinclude: 1) fingerprinting applications based on port values forspecific enterprise applications and/or 2) fingerprinting thoseapplications that reside in certain servers. In any case, there is valuein running fingerprinting code that parses through application layerdata and so the appliance 180 is configured to enable both a port-basedand a DPI-based application fingerprint be produced for each flow.

The following features are examples of the types of features that may beanalyzed in the pattern matching mechanism for applicationidentification:

Feature Rationale Example IP protocol test Restrict application layerinspection “tcp” based on IP protocol value to follow conventionalapplication usages of the transport layer Transport layer Applicationsusually communicate “22” port test over canonical port valuesApplication layer Many applications can be detected “SSH/2.0” stringmatches with some degree of reliability simply by looking for a simplestring within network traffic Pattern offset Some applications transmit“15” identifiable information at certain offsets within payload data -the offset applies to a search pattern Pattern depth Some applicationstransmit “100” identifiable information within certain depths of payloaddata - the depth applies to a search pattern Regular In order topartially application layer “.+ASCII\ Expressions complexity, regularexpressions are (.+SELECT” frequently necessary Pattern ChainingReliable application fingerprinting is “HTTP” + enhanced with theability to use “application/x- multiple patterns in a single shockwave-signature flash”

Examples of application signature messages against AOL IM traffic are:

14:12:11 [I] 192.168.86.109:53605 192.168.4.112:5190 n/a [APP:AOL](sp=53605, dp=5190, protocol=tcp)

14:12:11 [I] 192.168.6.49:5190 192.168.76.105:53602 n/a [APP:AOUICQ1](sp=5190, dp=53602)

14:12:11 [I] 192.168.76.105:53602 192.168.6.49:5190 n/a [APP:AOL/ICQ1](sp=53602, dp=5190)

14:12:11 [I] 192.168.4.112:5190 192.168.86.109:53605 n/a [APP:AOL](sp=5190, dp=53605, protocol=tcp)

14:12:11 [I] 192.168.6.49:5190 192.168.76.105:53602 n/a [APP:AOL/ICQ1](sp=5190, dp=53602)

Outputs of the respective analysis mechanisms 194 a-194 f are sharedwith the scoring analysis engine 198. This engine 198 may be located inthe appliance 180, the control manager 125 or other devices of thenetwork infrastructure. It is used to collect the information outputprovided by the different analysis mechanisms and to combine it withother information retrieved, derived or configured to assist indetermining the application which the analyzed flow is based upon asused on the network system. The history of applications previously usedon the network as well as those applications know to be installed on thenetwork may also be added to the analysis as two additional mechanisms,including as tiebreakers or added weighting, particularly when the othermechanisms deliver less than certain results, but not limited thereto.

FIGS. 4A-4C illustrate the results of using a plurality of mechanisms inthe scoring to assess the likely application associated with a flow thathas been mirrored to the application identification function 200, inwhich scores can range from 0 (no knowledge of the application based onthe mechanism used) to 100 (complete certainty of the application basedon the mechanism used). It can be seen that certain applications aremore amenable than others to certain analysis mechanisms. For example,social and search applications can be detected with a high degree ofconfidence using signature analysis while peer-to-peer applications aredifficult to detect using the signature approach but are detectableusing the heuristics mechanism. The API mechanism shown in FIGS. 4A-4Crepresents the inclusion of any analysis technique created for use inassociation with the identification function 200 including, but notlimited to, user created custom techniques of the network infrastructure101 of the present invention. The API is the interface through whichusers may add one or more analysis mechanisms to the scoring engine 198dependent on their particular experiences in a specific networkapplication.

An example of the dynamic traffic mirroring function 300 of the presentinvention, which may be used in conjunction with the applicationidentification function 200 or independent of that function, isrepresented in FIG. 5, which is a simplified representation of a packetforwarding device 400 configured to mirror frames of packets received onthe device 400, which may be part of the network infrastructure 101 andmay be a network entry (edge) device of a central (core) packetforwarding device of the type previously described but not limitedthereto. The device 400 includes the dynamic traffic mirroring function300. The device 400 includes one or more ports 402 for receiving andtransmitting packets. The device 400 is connected in a wired or wirelessway to a traffic source 404 and a traffic destination 406. It is furtherconnected in a wired or wireless way to a mirrored traffic destination408. The device 400 includes a control engine 410 configured to, amongother things, establish and/or manage one or more virtual portals 412associated with the transmission of mirrored frames of a flow set upbetween the traffic source 404 and the traffic destination 406. It is tobe noted that while they are referred to as the traffic source and thetraffic destination, it is to be understood that each may be configuredto transmit and receive traffic for example, in a flow between the two.The source and destination will have little or no knowledge of thetraffic between them being mirrored (copied) to another device.

One or more of the virtual portals 412 may be static in configurationand one or more may be dynamic in configuration. A static configurationmeans that the mirrored traffic is always transferred to the samemirrored traffic destination 408. On the other hand, a dynamicconfiguration means that the mirrored frames are transferred to themirrored traffic destination 408 through one or more selectableconfigurations. The destination may just be a service name (Any IDS, forexample) and the physical destination may change based on servicediscovery, availability, status, or priority and loading, perhapslearned via service announcements. Any of the physical ports (402) ofthe device 400 may be used for the transmission of the mirrored framesas required or needed by the virtual portal. It is to be noted that themirrored traffic destination 408 may be any device of the network system100, including the device 400. If the mirrored traffic destination 408is located within the device 400, the mirrored frames may be transferredby way of one of the one or more virtual portals 412 to one of the oneor more other portals 412 or the virtual portal may be representedsimply with a shared memory or other frame or data passing technique.

While the function of the portals 412 has generally been describedherein with respect to the transfer of frames, portions of frames orportions of more than one flow for the purpose of applicationidentification, the use of portals of the type described is not limitedto that specific use. It is also possible to transfer to other devicesor to other functions, whether in the same or another device, relatedinformation, such as information about the flow or flows but not limitedthereto. Once a portal is established to another function, such as theapplication identification engine 186, for example, the portal might beused to transport related or other information for reason of security orsimple ease of use, to that destination, which may be a knowndestination and which may be logical or physical. Further, the portalmay have been established for a particular destination and that samedestination may be used by other mirrors or the same mirrors for otherframes or different flows. It is possible to provide information, statusand flow statics, end-of-flow information, etc. which, while not part ofthe selected frames or filtered parts of the flow of packets, on anetwork, may aid, modify or enhance the function operating at thedestination of the portal in performing its task. This informationcould, in one embodiment, be sent in an IPFIX or IPF1X extended formatbut other formats and protocols are possible.

Although FIG. 5 depicts a particular frame mirroring configuration forthe device 400, one ordinarily skilled in the art will recognize andappreciate that other configurations are possible to enable themirroring of frames for a plurality of traffic sources, trafficdestinations and mirrored frames destinations. Moreover, the device 400may have more or fewer ports than as shown (including only a singleport) and more or fewer virtual portals than as shown.

The device 400 includes a mirror source point 414 and the control engine410 includes a mirror sending mechanism 416, either or both of which maybe implemented as software, hardware, or any combination thereof. In oneembodiment, the mirror source point 414 is associated with one of theone or more portals 412. The mirror source point 414 may be configuredto copy all or a portion of network traffic, such as on a frame by perframe basis, transmitted and/or received on a given port 402 or portal412. The mirror source point 414 is configured to replicate, duplicateor otherwise copy traffic of the traffic source 404. In another aspect,the mirror source point 414 identifies the point or location of a deviceof the network infrastructure 101 or of an attached function network,such as a port, queue, storage or memory location, from which themirroring of frames originates, initiates, or otherwise starts.Additionally, the mirror source point 414 may implement encryption ofthe traffic from the source 406 before initiating frame mirroring,alternately this service and others may be performed by the portal. Forexample, the mirror source point 414 may include one or more mechanismsto filter, encrypt, encapsulate, blank, scramble, or shave a frame ofmirrored traffic.

The mirror function 300 in general relies upon the packet forwardingfunction of the device 400 for service generally known to be performedby that device. Classification and packet forwarding function 420 may berelied upon to classify frames for forwarding as needed to other ports(402) of the device 400. This same forwarding function 420 can be usedto classify copy and deliver frames to the mirror function. When amirror is established and frames needed to be sent by one or more of theportals 412 via one or more of the ports of switching device 400 tomirror destination 408, the frames are typically handed toclassification and packet forwarding function 420 to be classified andforwarded according to typical switching and routing rules to thedestination as defined by the mirror portal established for thatparticular mirroring activity. Device 400 then transmits the frame(s)from the proper port(s) 402.

The mirrored traffic destination 408 may be any function or device ofthe network infrastructure 101, including the device 400, arranged toreceive and either transfer or analyze the mirrored frames, including adevice having the application identification function 200 describedherein. The destination 408 may include a function configurable toreceive mirrored and acknowledge network traffic. The mirror destinationpoint 408 may also optionally be part of the network system 100 but aspart of a network infrastructure different from the networkinfrastructure 101. The mirrored traffic destination 408 may include amechanism to decrypt, de-encapsulate, or un-scramble a received mirroredframe or frames. Further, the destination also contains the necessaryprotocol elements to provide flow control, frame acknowledgement andsuch matters as required by packet based transport as selected or usedby the portals 412.

As noted, the mirror source point 414 may be configured to copy some orall of the traffic associated with the traffic source 404. A portion ofany frame may be configured to be any granularity of the frame of thenetwork traffic. For example, one or more fields of one or more protocollayers of the frame may be configured to be mirrored. In anotherexample, only the data payload of one of the protocol layers of theframe may be mirrored. One ordinarily skilled in the art will recognizeand appreciate that all or any portion of network traffic, such as allor any available portion of a frame, a packet, or any other protocoldata unit, at one or more network protocol layers may be mirrored inpracticing the operations of the present invention described herein.Although the present invention is generally discussed in relation topackets (frames as they appears on the network physical links) ofnetwork traffic, one ordinarily skilled in the art will recognize andappreciate that a frame is a bundle or unit of data, that may be inbinary form, organized in a specific way for transmission. Moreover, oneordinarily skilled in the art will recognize and appreciate that anyunit or bundle of data associated with any of the protocol layers may beused in practicing the operations of the present invention as describedherein.

As noted, frames mirrored from the device 400 may be encapsulated. Anytype and/or form of protocol and any mechanism for encapsulation may beused. The mirrored frames, whether encrypted or not, may be encapsulatedusing a tunneling protocol, such as a secure tunneling protocol. Forexample, the tunneling protocol used by the present invention mayinclude any version and/or implementation of any of the followingtunneling protocols: a Point-To-Point Tunneling protocol (PPTP),Point-To-Point Protocol over Ethernet (PPPoE), Point-To-Point Protocolover ATM (PPPoA), a Layer 2 Tunneling Protocol (L2TP), a Generic RoutingEncapsulation (GRE), Internet Protocol Security (IPsec), IP in IPTunneling, and Multi-Protocol Label Switching (MPLS). One ordinarilyskilled in the art will recognize and appreciate that any bridgeable orroutable protocol may be used in practicing the operations of thepresent invention described herein.

In one embodiment, mirrored data of an original frame in a packetbecomes the data payload for a modified packet that includes theoriginal frame that is to be mirrored. The frame to be mirrored may beencapsulated such as with a tunnel configuration. Furthermore, thecontent of the mirrored frame may be encrypted.

In other embodiments of the invention, the network traffic is tunneledto the mirror traffic destination 408 via a higher level protocol, suchas HyperText Transfer Protocol Secure (HTTPS) or the Secure Socket Layer(SSL) protocol. For example, the mirrored network traffic may beencrypted and encapsulated via a secure web session using SSL and/orHTTP between the mirror source point 414 and the destination 408.

In one embodiment, a Medium Access Control (MAC) Layer 2 tunneling maybe used. A MAC-in-MAC tunneling techniques encapsulates a MAC frame withanother MAC header, or a second MAC header. FIG. 6 shows a simplifiedillustrative example of an original frame 600 of a packet of networktraffic to be mirrored modified in accordance with the technique of thisparticular tunneling method. Specifically, the frame 600 is encapsulatedin a MAC-in-MAC tunneling protocol. A second IEEE 802.3 MAC header 602is appended to the frame 600 to form a modified frame 604 that ismirrored. In some embodiments, all or a portion of the frame 600encapsulated with the second MAC header 602 may be encrypted. Forexample, data portion 606 of the frame 600 may be encrypted.

Additionally, the encapsulation of mirrored network traffic may be usedwith virtual leased line technologies and/or the Multiple Protocol LabelSwitching Standards, such as the Pseudo Wire Emulation Version 3standard (PWE3). Furthermore, any type and/or form of custom orproprietary encapsulation protocol, or any type and/or form of custom orproprietary encrypting and encapsulating protocol may used with thepresent invention. One ordinarily skilled in the art will recognize andappreciate the various types and/or forms of encapsulating or tunnelingprotocols that may be used for providing data privacy of at least aportion of mirrored network traffic during communications between themirror source point and the mirror destination point. The mirroredtraffic may be de-encapsulated and/or de-crypted at the destination 408for further processing.

In some embodiments of the present invention, the device 400 or otherdevices including the dynamic traffic mirroring function 200 may supportthe ability to mirror network traffic remotely over a network byutilizing the IEEE 802.1Q VLAN tag/field of the frame in a virtual LANenvironment (VLAN). VLAN environments are based on logical connectivityoverlay of the physical network, and as known to those ordinarilyskilled in the art, may include any type of VLAN, such as a port-basedVLAN, MAC-based VLAN, a protocol-based VLAN, or an ATM VLAN. In a VLANenvironment, remotely mirrored network traffic may have a specific IEEE802.1Q VLAN tag used by device 400 to help direct the mirrored networktraffic to a specified location and to isolate it from other traffic.Utilizing the VLAN tag, the frame relay logic of the device 400typically used for forwarding frames is enhanced. Network trafficmirrored in a VLAN environment may traverse or pass through many networksystem devices before reaching the mirror destination point 408.Regardless of the particular mechanism for transferring mirroredtraffic, the dynamic mirroring function 200 is arranged to configure oneor more of the portals 412 to mirror one or more packets, includingportions of packets, based on selected criteria. The configuration hasseveral dynamic aspects to it and there are a plurality of criteria usedin making a determination as part of dynamic mirroring policy of what,where and when to mirror. A first criterion involves selecting one ormore received frames for mirroring, which may be a flow that is definedand selected. A second criterion involves selecting one or more portionsof the frames for mirroring, which may include the entirety, of theframe, selected fields or excluded fields selected portions of a framebased on byte count, of each of the frames of the selected one or moreof the received frames to be mirrored. A third criterion involvesselecting which of the one or more portals through which to mirror theframes. A fourth criterion involves selecting where to mirror the frameswhich may determine the portal or may dynamically establish a newportal. A fifth criterion involves selecting when to stop the mirroringof the selected frames. A second dynamic aspect of the present inventionincludes a configuration of the control engine 410 to change theconfiguration of the selections and/or the selected criteria for themirror function, even during the active mirroring of frames, based uponthe detection of a triggering event or condition. Examples of suchtriggering events or conditions have been described above and areincorporated herein but the invention is not limited to those so listed.

The portals 412 may be configured by any means known to those skilled inthe art, such as through the use of SNMP, to provide the parametersneeded to determine or discover the portal destination, path to it andthe transport criteria needed. As an example, a mirror may have beenestablished by the policy-based mirroring function to mirror all trafficfrom a new attached function that has joined the network system 100.After a period of time based on one or more of policies, on the outputof an IDS, the output of the appliance 180 or another networkinfrastructure device including the application identification function200, and Network Access and Control (NAC) functions, the particularattached function might have the criteria for mirroring changed toreflect only mirroring, for example, the first 30 frames of a new flowto only the least loaded application identification function 200 of thenetwork infrastructure 101. This might reflect an attached function nowhaving a trusted, known, authenticated user, updated applications andvirus detection status, and generally displaying good network behavior.

It is also to be noted that the control engine 410 configured to changethe mirroring dynamically may be located in one or more other devices ofthe network infrastructure 101. Further, the control mechanism of thetraffic mirror function may be automatically changed during themirroring of traffic based on input of information to the control engine410 that initiates a mirroring change based on network policy, mirroringpolicies or both. The first selection criterion may be based on a fieldor selected fields in the packet. The selected field or fields may beone or more of: a) address fields; b) protocol fields; c) length or bytecount fields; and d) fields used in determining the value, meaning,placement or inclusion of other fields in the packet. The secondselection criterion may also be a selection of the fields in the packetto be mirrored, byte count of a first selected portion of the packet tobe mirrored and/or offset of a first selected portion of the packet tobe mirrored. Further, the third selection criterion may be: a) a countsetting of the frames meeting the first selection criterion; b) createdusing information contained in the packets mirrored or to be mirrored;c) created using information contained in packets not mirrored to theselected portal where mirroring occurs. The application layer of thepacket or series of packets may also be used as either or both of thefirst and second criteria. The control engine 410 is configured toinclude one or more inputs used in the analysis of what and when tomirror traffic from the traffic source 404. Input options include, butare not limited to: a) network events; b) application(s) detected; c)user authentication; d) type of device for the traffic source 404 or thetraffic destination 406; e) device status (virus level); f) deviceownership status (BYOD criteria); g) network policies; and othertriggering conditions as noted herein. Each of the one or more portals412 may be established through the device 400 in one or more ways asdescribed herein. For example, the portal 412 may be a tunnel to anotherdevice of the network system 100 including, for example a TCP/IP tunnel.It may also be based on packet encapsulation. That data encapsulationmay be a data link sub-layer encapsulation. Further, it may be based onthe traffic destination 406.

The ability to detect and identify applications running on devices ofthe network infrastructure 101 enables a new type of application basednetwork control. However, it comes at a cost of increased complexity andexpense to deploy the application identification function 200 in thenetwork infrastructure 101. Normally, the application identificationfunction 200 including the engine 186 would need to be deployedthroughout the network infrastructure 101 to insure a reasonabledetection of a sufficient portion of the traffic flows important to theorganization to permit reasonable control. The dynamic traffic mirroringfunction of the present invention dramatically eases the pain, expenseand complexity of engine 186 deployment allowing such applicationidentification engines to be placed almost at will by the networkadministrator, with the mirrors bringing to it the necessary trafficfrom any device of interest in the network infrastructure 101. Thedynamic mirrors are most logically located in the switches and otherdevices that are primarily packet forwarding devices, such as switchesand routers, as the incremental additional cost is relatively minor andheavily leverages the already existing capabilities these devices have;namely, to classify all incoming traffic, copy traffic as needed,rapidly modify frames and frame headers, filter and forward frames, andto support encapsulations, tunneling and routing technologies. Moreover,their positions in various network topologies make them almost ideal forthe task.

Examples of network topology organizational options are shown in FIGS.7-10. Components of the network that are numbered the same as in FIG. 1remain the same for purposes of describing the different topologyoptions. FIG. 7 shows a first network topology 700 in whichtransmissions from attached functions to the network infrastructure 101enter through edge network devices and all Internet traffic is forcedthrough firewall 118, which may be one or more firewalls scaled asdesired based on the size of the network. The firewall 118 performs itsgate keeping function and packets that are permitted to pass aretransferred to the network entry device 105, which represents one ormore network entry packet forwarding devices, such as switches. Thenetwork entry device 105 mirrors frames of the packets or portions ofone or more received frames to the application identification appliance180. The appliance 180 carries out its analysis with the applicationidentification function 200 as described herein and passes thatinformation to the policy server 103 or another network control deviceincluding the network control manager 125. The policy server 103 eitherhas established one or more network policies, which may include one ormore mirroring policies and/or rules for implementing mirroringpolicies, on the network entry device 105 or firewall 118 for thepurpose of allowing, blocking or restricting the transfer of frames fromthe network entry device 105 to the core switching device 106 and/oraccess to resources of the network system. Dependent upon the analysisof the frames mirrored to the appliance 180, the policy server 103 orthe manager 125 may dynamically adjust one or more network policies orenforcement rules of firewall 118 or the network entry device 105, thecore switching device 106 and/or any other devices of the network.

In a small business model network represented in FIG. 7, network entrydevice 105 may represent most or all the network switching devices ofthe topology 700. In small topologies, the management, policy control,and application identification function 200 may all be located in asingle server. For the small business office, Internet connected to thecorporate backbone, the network control and application identificationfunction may, in fact, be located at the corporate headquarters. Highpriority mirroring may take place immediately for new flows while locallogging and nightly transfer and analysis may optimize network cost atsome delay in terms of policy control and enforcement. As traffic grows,or a more responsive control is needed, local application identificationengine could be installed as a standalone appliance, such as inappliance 180, or as a function of a packet forwarding device, perhapssharing the load with the corporate-based primary applicationidentification function 200, with the dynamic mirrors providing thetraffic to the appropriate device based on mirror policy. While thepoint deployment of the mirrors would lead to no duplicate flows, ifmore than one switching device were installed in the network, sometraffic in the other device, assuming no local mirror, would not bereviewed by the application identification function(s) 200. A pointdeployment works well where the traffic in the network is typicallyfocused through a single, or a limited set of packet forwarding devices.Internet gateway and data center entry points are good examples ofplaces where mirror deployment would see little duplicate traffic and avery large portion of the traffic flows through a single or very limitednumber of packet forwarding devices.

The simplest topology case to understand is the firewall or gatewayaccess, such as a VPN, topology. In this topology, specific traffic isfocused through a single point or very limited set of points whenincluding load sharing and redundancy. These single points may be easilymirrored and there is almost no duplication of flows to be concernedwith. In addition, it is a likely a high-concern or high-risk location,but with limited or known bandwidth requirements. A more complextopology is the edge access device topology. Those network devicestypically connected to one or two devices (attached functions) locatedin every office of an enterprise, as an example. Low density userdevices are tied to the core of the network using lots of ports,different locations and, typically, multiple edge devices. While asingle port may not represent much traffic bandwidth, the aggregate ofall ports can become substantial. Mirrors can be created on a per portor per entry device basis but any enforcement usually requires amechanism to track addressing back to the physical port of entry devicesas an added step when compared to the gateway topology. The increasedbandwidth of high traffic spikes may also force a less holistic approachto mirroring; that is, you cannot analyze everything during high trafficperiods. A new policy may be needed for load shedding and establishingpriorities for excessive traffic in the mirrors or at the destinationdevices, such as application engines. Sampling flows, shedding trustedusers, limiting the time period of examining all flows from a device oruser are some such techniques to use dynamic mirroring to limit load toapplication identification, IDS and other monitoring engines.

FIG. 8 shows another network topology 800 and may represent a typicalmedium size enterprise with both core and edge switching. Transmissionsfrom the majority of the attached functions of the networkinfrastructure enter through the edge switching devices 105 a and 105 b.The network entry devices 105 a and 105 b do not include the dynamictraffic mirroring function 300 or they do not utilize that function tomirror frames to the appliance 180. Instead, the network entry devices105 a and 105 b forward frames in packets to the core device 106. Thetopology location of the core device 106 means the vast majority of allflow in the network passes through that particular packet forwardingdevice. Any application identification functions 200 directly attachedto the core device do not significantly increase traffic in the networkwhen mirrored to a dedicated port on the core device. The appliance 180carries out its analysis with the application identification function200 as described herein and passes that information to the policy server103 or another network control device including the network controlmanager 125. The policy server 103 either has established one or morepolicies, including one or more mirroring policies and/or one or morerules for implementing mirroring policies, on the network core device106 for the purpose of allowing, blocking or restricting the transfer offrames from the network core device 106 to other devices of the networkincluding attached network functions. Dependent upon the analysis of theframes mirrored to the appliance 180, the policy server 103 or themanager 125 may dynamically adjust one or more policies, includingmirroring policies, of the network entry device 105, the core switchingdevice 106 and/or any other devices of the network.

The network topology 900 of FIG. 9 includes network core focusedapplication identification and uses the output of appliance 180 toassist in policy decisions for securing the network. Rapid policydeployment of control in the core device 106 may be followed bydiscovery of the flow source and subsequent edge deployment at either orboth of network entry devices 105 a and 105 b, for example, of moretargeted control. Where some, but limited, mirroring capability mayexist at the network edge and/or large numbers of users exist, coredetection may be followed by limited mirroring with added detection atthe edge. This may lead to duplication of flows and an increasedrequirement to de-duplicate at the appliance 180 or one or more otherdevices of the network infrastructure I01 that include the applicationidentification function 200.

FIG. 10 shows another network topology 1000 suitable for use with a datacenter wherein one or more servers 175 of the data center are a coreasset to the enterprise. Within the enterprise, traffic from the networkentry device 105 a/105 b, which represent network entry packetforwarding devices, such as switches, passes eventually to a data centerswitch 1002 or equivalent packet forwarding device(s). The data centerswitch 1002 or equivalent forwarding device(s) forwards frames to andfrom a server or set of servers that represent a data center 1004through the network core packet forwarding device 106, which may be aswitch or a router and may be one or more devices in practice. Thenetwork entry devices 105 a and 105 b do not include the dynamic trafficmirroring function 300 or they do not utilize that function to mirrorframes to the appliance 180. Instead, the network entry device 105 a/105b forwards the frames to through the core switch and on to data centerswitch 1002. Frames are mirrored, if applicable, by mirror function 300a or 300 b to application identification engines of appliances 180 and181. The appliances 180 and 181 carry out their analysis with theapplication identification functions 200 as described herein and passthat information to the policy server 103 or another network controldevice including the network control manager 125. The policy server 103either has established one or more policies, including for mirroring, onthe network devices for the purpose of allowing, blocking or restrictingthe transfer of packets as required. Generally, enforcement is attemptedfirst at the lower bandwidth edge devices closer to the entry point ofpotentially harmful behavior when possible, but in any device of thenetwork infrastructure 101 as needed to support the network. Dependentupon the analysis of the frames mirrored to the appliance 180 and/or 181and possibly others as needed, the policy server 103 or the manager 125may dynamically adjust one or more policies, rules, Access Control Lists(ACLs) or parameters of the network entry device 105 a/105 b, the coreswitching device 106 and/or any other devices of the network.

The architecture 1000 of FIG. 10 is focused on understanding theapplications and usage of the data center 175 devices. Based on trafficmirroring at the data center switches 1002, the appliances 180 and 181would receive little duplicate traffic. However, data center switchingcan be some of the highest volume of traffic in the network and multiplemirrors, links, application identification engines and servers may beneeded to support the topology. One of the more important aspects of thearchitecture is the ability and flexibility to support and scale to eachof the topologies as shown with a few pieces of basic technology and toperform this in a cost effective manner. A pervasive mirroring topologysupports mirroring at all the packet forwarding devices of the networksystem. While providing unlimited access to the packet flows,duplication of the frames at the mirrors of each switch would requiremore intelligent control of them, perhaps mirrors that understandtopology, or de-duplication of the flows at the monitors and enginesreceiving the mirrored frames. Additional intelligent mirror control andnew policies may be added to help ease the duplication effect using bothapproaches.

The network architecture supporting the various topologies describedherein are examples of configurations that may be created whereknowledge of applications and topologies associated with flows exist, aswell as the ability to mirror some or all of such flows to obtainapplication identification and usage information. It is alsoadvantageous to have the ability to conduct mirroring activitiesdynamically, including when to mirror, how much to mirror, which devicesto use for mirroring and when to stop mirroring. Moreover, it is alsoadvantageous to configure such topologies including the ability tomodify dynamically network policies associated with the operation of thenetwork as a result of events, conditions, status, etc., detected basedon application information but not limited thereto.

The application identification end-to-end network architecture of thepresent invention expands the control network administrators have onexisting networks. Application identification and usage data, by user,by device and network location can now be used to provide an added levelof network control. However, application identification engines come ata cost, perhaps more than the cost of IDS engines currently in use. Theability to embed the application identification technology into allswitch devices would be prohibitively expensive. Dynamic mirrortechnology can be used to bring the packets to the device having theapplication identification engine while also providing an eleganttransition step which may, in fact, be the glue for the virtualplacement of all types of monitors, IDS, application identification,data loggers, and even server technology well into the future. Theportals described herein allow the mirrors to transport whole orfiltered flow data from anywhere, to anywhere in the network,efficiently and securely. The architecture implemented functions allowthe ability to start small with a single application identificationfunction 200 added to a network management server, examine flows fromthroughout the network (via mirroring) and upgrade policy control basedon real application identification data and usage, then grow topervasive deployment where virtually all new flows could be identifiedand controlled via policy. This ability to scale across small to verylarge topologies is an aspect of the control architecture. Scaling maybe accomplished by determining a comprehensive or specific level ofnetwork activity that could be handled by a single applicationidentification engine and mirroring frames to that engine. Additionalapplication identification engines can then be added as needed, eachtime the level of network activity exceeds the capacity of the installedapplication identification engines. It can be seen that this can be donefor a wide range of network sizes. As new application identificationengines are added to a network system the dynamic mirrors could locatethe least loaded engine and new flows would automatically be sent to theleast loaded engine. This allows near seamless upgrades as needs grow ortraffic increases. This eliminates the limitations of piecemeal and/ormanual control of network operations even when application informationhas been acquired. This architecture enables substantially completeapplication visibility and control. Previous technologies were cobbledtogether in order to achieve partial application visibility and controlin pieces, such as manual Access Control List (ACLs) but that is notenough to maximize network efficiency and provide real security. Thisarchitecture provides: a) effective, inexpensive mirroring at thenetwork ingress point for new flows, which aids in determining thesource of an identified application; b) cost efficiency, locatingexpensive application identification engines strategically, including atthe core rather than introducing them to all or a limited set of thenetwork packet forwarding devices. The ability to filter (by packets,fields, bytes, etc. as described herein) including through dynamictraffic mirroring is useful in minimizing network traffic andapplication identification engine overload. The network operation isenhanced through this architecture because it enables effective dynamicnetwork policy, including policy enforcement at an ingress point basedon knowledge of a source of undesirable activity on the network.

A simple example of the applicability of the architecture and itsassociated dynamic mirroring policy as well as traffic mirroring to morecentralized services and application identification will help illustratethe value of the present invention. In this example, a new userauthenticates to the network at the network entry device 105 using acomputing device as the attached function. The user's identification isknown based on content in a database associated with the authenticationserver 115. However, in the course of authentication, it is determinedeither through the authentication server 115 or the policy server 103that the user device is an unknown one. A defined dynamic mirror policyhas been established in the network entry device 105 for all unknownattached function devices. Based on the defined dynamic mirror policyand knowledge that the device is unknown, all flows associated with theuser are automatically mirrored to an IDS for a specified period of timeand all new flows established by that attached device are mirrored forthe first 20 frames to the appliance 180. The mirroring to the IDS wouldbe halted, assuming no condition exists to warrant further monitoring inthat regard, after a set time period and that particular IDS could beused to monitor the traffic from another device, the assumption beingthat if no undesirable event has occurred within one hour, the attacheddevice can be more trusted from a security perspective. At the sametime, all new flows would continue to be monitored and analyzed by theappliance 180. The appliance 180 would identify applications running onthe attached device. That information would be collected and the user'sapplication usage tendencies could be characterized and logged over aperiod of time. That information and the actions of the network entrydevice with respect to mirroring activities may be aggregated such as ina mirror policy engine of the manager 125. Mirroring to the appliance180 could be adjusted as desired, including reducing the number of flowsmirrored or selecting certain flows or types of flows to be mirrored. Ina situation wherein there exists a mirroring or traffic overload at thenetwork entry device, another network device (in the flow path for theattached device) may be used to dynamically establish a mirror for aflow or all flows that could not be accomplished in the network entrydevice for that attached function. As noted, the appliance 180 wouldlearn and log the applications detected as being used by the user on theattached device and further network policies could be applieddynamically or statically based on the discovered applications in use.

As represented in FIG. 11, a method 1100 of controlling dynamic trafficmirrors of the network system includes, after standard initial setup ofone or more devices of the network infrastructure 101 through networkadministration input as is typically done in the field of the presentinvention, step 1110 of providing in the one or more of the networkinfrastructure devices 101 one or more mirror policies. In step 1120,the network system 100 is continuously monitored for events, topologyand status of the network system. Dependent on the information gatheredin the monitoring, the method 1100 further includes step 1130 ofinstalling, enabling, selecting or changing automatically one or moretraffic mirrors in one or more of the devices of the networkinfrastructure 101. The one or more of the one or more mirror policiesprovided, installed, enabled, selected or changed implement one or morenetwork policies of the network system 100 and/or one or more rulesbased on one or more network policies. The method 1100 further includesas part of step 1100 or in addition to step 1100 before or after thatstep, step 1140 of establishing one or more criteria for the providing,installing, enabling, selecting or changing of the one or more mirrorpolicies based on the one or more network policies of the network system100 and/or the one or more rules based on one or more network policies.The method 1100 optionally provides under step 1130 the step ofselecting one or more of the one or more network infrastructure devicesfrom which to mirror the network traffic based on one or more of the oneor more criteria.

The method 1100 includes the optional step of selecting a destinationfor the mirrored traffic based on one or more of the one or morecriteria. The destination may be one or more of: a) one or more of theplurality of network infrastructure devices 101; b) one or more networkservices; c) a function of the network system 101; and d) a portal 412.The method further includes the step of selecting a portion of thenetwork traffic to mirror. The selected portion may be any one of: a) aflow of packets; b) a set of packets within a flow; and c) a portion ofone or more frames of one or more packets within a flow. Anotheroptional step of the method 1100 is determining when to stop themirroring of the network traffic. The stopping may be based on one ormore of: a) one or more of the one or more criteria noted above; b) oneor more mirror policies or one or more network policies; and c) one ormore priorities of one or more other network traffic flows. The method1100 also includes the optional step of securing the network traffic tobe mirrored prior to mirroring. That securing may be accomplished by oneor more of: a) providing a tunnel; b) encrypting the content of thenetwork traffic; and c) providing an encrypted tunnel. Examples ofmirror policies that may be established include, but are not limited to:a) allowing a source of the mirrored network traffic to choose thedestination of that mirrored network traffic; b) mirroring selectablenetwork traffic based on an attached function or user generating thenetwork traffic to be mirrored or content of the network traffic to bemonitored. The mirror policies established may be based on one or moreof: a) a role of an authenticated user of the network system 100; b) adevice using the network system 100; c) a type of a device using thenetwork system 100; d) local packet classification; e) time of day; f)other events which may be monitored; and network policies. The method1100 further optionally includes the step of storing the one or moremirror policies in the one or more devices of the network infrastructuredevices 101. Those stored one or more mirror policies may be changed.

As represented in FIG. 12, a method 1200 is provided for mirroring oneor more frames of one or more packets of a flow established in a networksystem signal exchange. After standard initial setup of one or moredevices of the network infrastructure 101 through network administrationinput as is typically done in the field of the present invention, afirst step 1210 of the method 1200 is to establish a first criterion forselecting one or more received frames for mirroring. A second step 1220is to establish a second criterion for selecting one or more portions ofthe frames for mirroring. A third step 1230 is to establish a thirdcriterion for selecting one or more portals through which to mirror theframes. A fourth step 1240 is to establish a fourth criterion forestablishing a destination for the mirrored frames. A fifth step 1250 isto establish a fifth criterion for the establishment of a mirror in adevice of the network infrastructure. The established criteria are usedin step 1260 to create one or more portals 412 in one or more of theplurality of devices of the network infrastructure 101 meeting thecriteria for establishing a mirror to mirror the selected frames. Themethod 1200 then includes step 1270 of carrying out the mirroring of theselected frames through the created one or more portals 412. An optionalstep of the method 1200 is to change one or more of the criteria. Themethod 1200 further includes the optional step of establishing a sixthcriterion for stopping the mirroring. The method 1200 includes anoptional further step of modifying automatically the mirroring of theselected frames during mirroring.

The mirroring instructions associated one or more of the criteria may begenerated, changed, modified or otherwise adjusted based on one or moreof: a) network events; b) applications detected; c) user authentication;d) type of the device; e) status of the device; f) ownership of anattached function attached to the device; and g) triggers. The method1200 includes the option as part of step 1260 the step of establishingan encapsulation for the frames to be mirrored via the one or moreportals 412. Portal selection may be carried out under the method 1200based on one or more of: a) source address, destination address or bothof the received frames; b) one or more fields in the frames to bemirrored; c) performance; d) network or other security; and e) locationof the mirror, destination of the mirroring or both.

As represented in FIG. 13, a method 1300 is provided for the managementof operations of the network system 100. The method 1300 includes, afterstandard initial setup of one or more devices of the networkinfrastructure 101 through network administration input as is typicallydone in the field of the present invention, step 1310 of establishing onone or more packet forwarding devices of the network infrastructure 101one or more network policies or rules implementing one or more networkpolicies for forwarding frames of received packets based on computerapplications running or attempting to run on the network system 100.Under step 1320, the network system 100 is monitored continuously forcomputer applications running on the network system 100 for those thatmay trigger one or more changes in the operations of one or more devicesof the network infrastructure 101. It further includes step 1330 ofchanging one or more of the one or more of the enforcement policies orrules on one or more devices of the network infrastructure 101 based onthe detection of one or more computer applications running on one ormore of the plurality of devices of the network infrastructure 101. Itis contemplated that the network manager is able to identify theapplications running on the network system 100 based on one or moreframes associated with the operation of the network system 100, such asby using the application identification function 200 described herein.The one or more network policies and/or rules include at least one of aset of ingress rules, egress rules, and mirroring rules. Step 1330includes as an option for changing to change the mirroring of selectableframes of the received packets to the application identificationappliance 180 of the network infrastructure 101. Further, the one ormore policies to change may be one or more of, but not limited to: a)block a specific application flow; b) block an IP address; c) snipe aTCP connection; d) disable communication for an application; e) disablecommunications to an attached function; f) disable a networkcommunication, in either or both of a forward path and a reverse path;g) bandwidth-limit an application by a particular user; h)bandwidth-limit an application for all users of the network system 100;i) log all application data; and j) honeypot the application flow.

As represented in FIG. 14, a method 1400 is provided for monitoring thenetwork system 100 to identify one or more computer applications runningon one or more network devices. The method 1400 includes a first step1410 of receiving on a device of the network infrastructure 101 one ormore packets containing one or more frames, wherein the one or moreframes are associated with a computer application. Next, in step 1420,the content of the frames is examined for one or more signaturesassociated with the computer application and for other informationobtained from one or more mechanisms. In step 1430, the examined contentis compared with computer application information of the one or moresignatures and the other information. In step 1440, a most likely matchis established for the computer application associated with the one ormore frames derived from the comparison. In step 1450, the matchinformation is outputted representing an indication of a likely computerapplication associated with the examined frames based on the comparison.The information about the likely match may include a level of confidencein the indication. Optionally under the method 1400, the informationfrom the mechanisms may be weighted. The method 1400 further includesthe optional steps of: a) scoring the comparison to assess the likelyaccuracy of the correlation between the computer application identifiedby the one or more signatures comparison and the other information; andb) generating a single output with an identification of the likelycomputer application associated with the received one or more frames.The method 1400 may also include the step of adding one or more othermechanisms, including custom mechanisms, as part of the comparison. Theother mechanisms may be provided through an application programminginterface. The step 1450 of outputting the information may be carriedout by transmitting the identification of the likely computerapplication to a network control manager.

As represented in FIG. 15, a method 1500 is provided for identifying oneor more computer applications running or attempting to run on thenetwork system 100. The method 1500 includes step 1510 of firstreceiving information of one or more frames forwarded by one or moredevices of the network infrastructure 101, wherein the information isindicative of one or more computer applications. Step 1520 involvescomparing information of one or more frames forwarded with informationof a computer applications identification database. The information ofthe database is obtained through multiple mechanisms. In step 1530, theinformation is used to establish a score for each computer applicationthat may match the received information of the one or more frames.Finally, under step 1540, one or more computer applications aredesignated as being associated with the one or more frames based on theestablished score. The designation information provided optionallyincludes an indication of the confidence in the designation. An optionalstep of the method 1500 is to weight the likely accuracy of the one ormore indicators in the comparison. The indicators may not be weightedequally. The mechanisms used to establish the computer applicationsinformation includes, but is not limited to: a) computer applicationsignatures; b) TCP/UDP canonical port value; c) IP protocol value; d)heuristics; e) regular expression; f) history; g) applications installedon the network; and h) statistics. The method 1500 optionally includesthe step of establishing the score by combining scores for each type ofreceived information. The history and installed applications mechanisms,for example, may be used to weight the reliability of the informationobtained from the other mechanisms.

A number of examples to help illustrate the invention have beendescribed. Nevertheless, it will be understood that variousmodifications may be made without departing from the spirit and scope ofthe invention. Accordingly, other embodiments are within the scope ofthe claims appended hereto.

What is claimed is:
 1. A device that mirrors selected frames to enhancesecurity in a network system of a plurality of network infrastructuredevices, the device comprising: a. a physical port configured to:receive, from an unknown device, packets including a plurality offrames, and send selectable ones of the plurality of frames to anothernetwork infrastructure device that detects harmful network activitybased on the selectable ones of the plurality of frames; and b.processing circuitry configured to: mirror, through a portal attached tothe physical port, the selectable ones of the plurality of frames of thereceived packets by delivering, via a transport level tunnel, a copy ofthe selectable ones of the plurality of frames, to the another networkinfrastructure device based on one or more of criteria; and determinethat a data value in a packet field that indicates the harmful networkactivity has not been detected in the selectable ones of the pluralityof frames; stop the mirroring of the selectable ones of the plurality offrames, in response to determining that the data value that indicatesthe harmful network activity has not been detected in the selectableones of the plurality of frames.
 2. The device of claim 1, wherein theone or more criteria includes a criterion for selecting one or moreframes of the plurality of frames included in the received packets formirroring.
 3. The device of claim 1, wherein the one or more criteriaincludes a criterion for selecting one or more portals through which tomirror the selectable ones of the plurality of frames.
 4. The device ofclaim 1, wherein the one or more criteria includes a criterion forselecting one or more portions of the plurality of frames for mirroring.5. The device of claim 4, wherein the one or more portions of theplurality of frames selected for mirroring is a field of the pluralityof frames or a portion of the field of the plurality of frames and thefield or the portion of the field is selected from a group consisting ofaddress fields, protocol fields, length fields, byte count fields, andfields used in determining a value, meaning, placement or inclusion ofother fields.
 6. The device of claim 1, wherein the criterion forstopping mirroring is based on information about an application runningon the network system.
 7. The device of claim 6, wherein the informationfor stopping mirroring is information contained in the selectable onesof the plurality of frames.
 8. The device of claim 1, wherein the one ormore criteria includes a criterion for establishing a destination of themirrored selectable ones of the plurality of frames.
 9. The device ofclaim 1, configured to receive mirroring instructions for the devicebased on one or more of: a. network events; b. applications detected; c.user authentication; d. type of the device; e. status of the device; f.ownership of an attached function attached to the device; and g.triggers.
 10. The device of claim 1, wherein the portal is a tunnel toanother device of the network infrastructure.
 11. The device of claim 1,wherein the mirrored selectable ones of the plurality of frames areencapsulated in a data link layer encapsulation.
 12. The device of claim1, wherein the portal or a type of the portal is selectable based on oneor more of: a. source address, destination address or both of theplurality of frames; b. one or more fields in the plurality of frames tobe mirrored; c. performance; d. security; and e. location of a mirror,destination of the mirroring or both.
 13. A method for mirroring framesof packets of a flow established in a network system signal exchange toenhance security, wherein a network system signal exchange includes aplurality of network infrastructure devices, and wherein the pluralityof network infrastructure devices include a network infrastructuredevice configured to mirror the frames to another network infrastructuredevice that detects harmful network activity based on the frames, themethod comprising: a. receiving, at a physical port of the networkinfrastructure device, packets including a plurality of frames from anunknown device; b. mirroring, by the network infrastructure device,through a portal attached to the physical port, selectable ones of theplurality of frames by delivering, via a transport level tunnel, a copyof the selectable ones of the plurality of frames, to the anothernetwork infrastructure device; c. determining that a data value in apacket field that indicates the harmful network activity has not beendetected in the selectable ones of the plurality of frames; and d.stopping the mirroring of the selectable ones of the plurality offrames, in response to determining that the data value that indicatesthe harmful network activity has not been detected in the selectableones of the plurality of frames.
 14. The method of claim 13, furthercomprising establishing one or more criteria for mirroring theselectable ones of the plurlity of frames.
 15. The method of claim 14,wherein the one or more criteria are selected from: a. a first criterionfor selecting one or more of the selectable ones of the plurality offrames for mirroring; b. a second criterion for selecting one or moreportions of the selectable ones of the frames for mirroring; c. a thirdcriterion for selecting the portal to mirror the selectable ones of theplurality of frames; d. a fourth criterion for establishing adestination for the mirrored selectable ones of the plurality of frames;and e. a fifth criterion for the establishment of a mirror in one ormore of the plurality of network infrastructure devices.
 16. The methodof claim 13, further comprising modifying automatically the mirroring ofthe selectable ones of the plurality of frames during mirroring.
 17. Themethod of claim 13, further comprising generating mirroring instructionsbased on one or more of: a. network events; b. applications detected; c.user authentication; d. type of the network infrastructure device; e.status of the network infrastructure device; f. ownership of an attachedfunction attached to the network infrastructure device; and g. triggers.18. The method of claim 17, further comprising modifying the mirroringinstructions based on one or more of: a. network events; b. applicationsdetected; c. user authentication; d. type of the network infrastructuredevice; e. status of the network infrastructure device; f. ownership ofan attached function attached to the network infrastructure device; andg. triggers.
 19. The method of claim 13, further comprising creating theportal in the network infrastructure device configured to mirror frames.20. The method of claim 19, wherein the portal or a type of the portalis selectable based on one or more of: a. source address, destinationaddress or both of the selectable ones of the plurality of frames; b.one or more fields in the selectable ones of the plurality of frames tobe mirrored; c. performance; d. security; and e. location of a mirror,destination of the mirroring or both.
 21. The method of claim 13,wherein the network infrastructure device configured to mirror frames isa packet forwarding device of the plurality of network infrastructuredevices.